feat: port reduction (#323)

* move mgmt pkg

* begin package restructure

* rename auth package to authz

* begin start api

* move auth

* move admin

* fix merge

* configs and interceptors

* interceptor

* revert generate-grpc.sh

* some cleanups

* console

* move console

* fix tests and merging

* js linting

* merge

* merging and configs

* change k8s base to current ports

* fixes

* cleanup

* regenerate proto

* remove unnecessary whitespace

* missing param

* go mod tidy

* fix merging

* move login pkg

* cleanup

* move api pkgs again

* fix pkg naming

* fix generate-static.sh for login

* update workflow

* fixes

* logging

* remove duplicate

* comment for optional gateway interfaces

* regenerate protos

* fix proto imports for grpc web

* protos

* grpc web generate

* grpc web generate

* fix changes

* add translation interceptor

* fix merging

* regenerate mgmt proto

internal/api/grpc/management/application.go

@@ -0,0 +1,83 @@
+package management
+
+import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) SearchApplications(ctx context.Context, in *management.ApplicationSearchRequest) (*management.ApplicationSearchResponse, error) {
+	response, err := s.project.SearchApplications(ctx, applicationSearchRequestsToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return applicationSearchResponseFromModel(response), nil
+}
+
+func (s *Server) ApplicationByID(ctx context.Context, in *management.ApplicationID) (*management.ApplicationView, error) {
+	app, err := s.project.ApplicationByID(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return applicationViewFromModel(app), nil
+}
+
+func (s *Server) CreateOIDCApplication(ctx context.Context, in *management.OIDCApplicationCreate) (*management.Application, error) {
+	app, err := s.project.AddApplication(ctx, oidcAppCreateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return appFromModel(app), nil
+}
+func (s *Server) UpdateApplication(ctx context.Context, in *management.ApplicationUpdate) (*management.Application, error) {
+	app, err := s.project.ChangeApplication(ctx, appUpdateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return appFromModel(app), nil
+}
+func (s *Server) DeactivateApplication(ctx context.Context, in *management.ApplicationID) (*management.Application, error) {
+	app, err := s.project.DeactivateApplication(ctx, in.ProjectId, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return appFromModel(app), nil
+}
+func (s *Server) ReactivateApplication(ctx context.Context, in *management.ApplicationID) (*management.Application, error) {
+	app, err := s.project.ReactivateApplication(ctx, in.ProjectId, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return appFromModel(app), nil
+}
+
+func (s *Server) RemoveApplication(ctx context.Context, in *management.ApplicationID) (*empty.Empty, error) {
+	err := s.project.RemoveApplication(ctx, in.ProjectId, in.Id)
+	return &empty.Empty{}, err
+}
+
+func (s *Server) UpdateApplicationOIDCConfig(ctx context.Context, in *management.OIDCConfigUpdate) (*management.OIDCConfig, error) {
+	config, err := s.project.ChangeOIDCConfig(ctx, oidcConfigUpdateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return oidcConfigFromModel(config), nil
+}
+
+func (s *Server) RegenerateOIDCClientSecret(ctx context.Context, in *management.ApplicationID) (*management.ClientSecret, error) {
+	config, err := s.project.ChangeOIDConfigSecret(ctx, in.ProjectId, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return &management.ClientSecret{ClientSecret: config.ClientSecretString}, nil
+}
+
+func (s *Server) ApplicationChanges(ctx context.Context, changesRequest *management.ChangeRequest) (*management.Changes, error) {
+	response, err := s.project.ApplicationChanges(ctx, changesRequest.Id, changesRequest.SecId, changesRequest.SequenceOffset, changesRequest.Limit, changesRequest.Asc)
+	if err != nil {
+		return nil, err
+	}
+	return appChangesToResponse(response, changesRequest.GetSequenceOffset(), changesRequest.GetLimit()), nil
+}

internal/api/grpc/management/application_converter.go

@@ -0,0 +1,350 @@
+package management
+
+import (
+	"encoding/json"
+
+	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/model"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/caos/zitadel/pkg/grpc/message"
+)
+
+func appFromModel(app *proj_model.Application) *management.Application {
+	creationDate, err := ptypes.TimestampProto(app.CreationDate)
+	logging.Log("GRPC-iejs3").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(app.ChangeDate)
+	logging.Log("GRPC-di7rw").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.Application{
+		Id:           app.AppID,
+		State:        appStateFromModel(app.State),
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Name:         app.Name,
+		Sequence:     app.Sequence,
+		AppConfig:    appConfigFromModel(app),
+	}
+}
+
+func appConfigFromModel(app *proj_model.Application) management.AppConfig {
+	if app.Type == proj_model.AppTypeOIDC {
+		return &management.Application_OidcConfig{
+			OidcConfig: oidcConfigFromModel(app.OIDCConfig),
+		}
+	}
+	return nil
+}
+
+func oidcConfigFromModel(config *proj_model.OIDCConfig) *management.OIDCConfig {
+	return &management.OIDCConfig{
+		RedirectUris:           config.RedirectUris,
+		ResponseTypes:          oidcResponseTypesFromModel(config.ResponseTypes),
+		GrantTypes:             oidcGrantTypesFromModel(config.GrantTypes),
+		ApplicationType:        oidcApplicationTypeFromModel(config.ApplicationType),
+		ClientId:               config.ClientID,
+		ClientSecret:           config.ClientSecretString,
+		AuthMethodType:         oidcAuthMethodTypeFromModel(config.AuthMethodType),
+		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
+	}
+}
+
+func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *management.OIDCConfig {
+	return &management.OIDCConfig{
+		RedirectUris:           app.OIDCRedirectUris,
+		ResponseTypes:          oidcResponseTypesFromModel(app.OIDCResponseTypes),
+		GrantTypes:             oidcGrantTypesFromModel(app.OIDCGrantTypes),
+		ApplicationType:        oidcApplicationTypeFromModel(app.OIDCApplicationType),
+		ClientId:               app.OIDCClientID,
+		AuthMethodType:         oidcAuthMethodTypeFromModel(app.OIDCAuthMethodType),
+		PostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
+	}
+}
+
+func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.Application {
+	return &proj_model.Application{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: app.ProjectId,
+		},
+		Name: app.Name,
+		Type: proj_model.AppTypeOIDC,
+		OIDCConfig: &proj_model.OIDCConfig{
+			RedirectUris:           app.RedirectUris,
+			ResponseTypes:          oidcResponseTypesToModel(app.ResponseTypes),
+			GrantTypes:             oidcGrantTypesToModel(app.GrantTypes),
+			ApplicationType:        oidcApplicationTypeToModel(app.ApplicationType),
+			AuthMethodType:         oidcAuthMethodTypeToModel(app.AuthMethodType),
+			PostLogoutRedirectUris: app.PostLogoutRedirectUris,
+		},
+	}
+}
+
+func appUpdateToModel(app *management.ApplicationUpdate) *proj_model.Application {
+	return &proj_model.Application{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: app.ProjectId,
+		},
+		AppID: app.Id,
+		Name:  app.Name,
+	}
+}
+
+func oidcConfigUpdateToModel(app *management.OIDCConfigUpdate) *proj_model.OIDCConfig {
+	return &proj_model.OIDCConfig{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: app.ProjectId,
+		},
+		AppID:                  app.ApplicationId,
+		RedirectUris:           app.RedirectUris,
+		ResponseTypes:          oidcResponseTypesToModel(app.ResponseTypes),
+		GrantTypes:             oidcGrantTypesToModel(app.GrantTypes),
+		ApplicationType:        oidcApplicationTypeToModel(app.ApplicationType),
+		AuthMethodType:         oidcAuthMethodTypeToModel(app.AuthMethodType),
+		PostLogoutRedirectUris: app.PostLogoutRedirectUris,
+	}
+}
+
+func applicationSearchRequestsToModel(request *management.ApplicationSearchRequest) *proj_model.ApplicationSearchRequest {
+	return &proj_model.ApplicationSearchRequest{
+		Offset:  request.Offset,
+		Limit:   request.Limit,
+		Queries: applicationSearchQueriesToModel(request.ProjectId, request.Queries),
+	}
+}
+
+func applicationSearchQueriesToModel(projectID string, queries []*management.ApplicationSearchQuery) []*proj_model.ApplicationSearchQuery {
+	converted := make([]*proj_model.ApplicationSearchQuery, len(queries)+1)
+	for i, q := range queries {
+		converted[i] = applicationSearchQueryToModel(q)
+	}
+	converted[len(queries)] = &proj_model.ApplicationSearchQuery{Key: proj_model.AppSearchKeyProjectID, Method: model.SearchMethodEquals, Value: projectID}
+
+	return converted
+}
+
+func applicationSearchQueryToModel(query *management.ApplicationSearchQuery) *proj_model.ApplicationSearchQuery {
+	return &proj_model.ApplicationSearchQuery{
+		Key:    applicationSearchKeyToModel(query.Key),
+		Method: searchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func applicationSearchKeyToModel(key management.ApplicationSearchKey) proj_model.AppSearchKey {
+	switch key {
+	case management.ApplicationSearchKey_APPLICATIONSEARCHKEY_APP_NAME:
+		return proj_model.AppSearchKeyName
+	default:
+		return proj_model.AppSearchKeyUnspecified
+	}
+}
+
+func applicationSearchResponseFromModel(response *proj_model.ApplicationSearchResponse) *management.ApplicationSearchResponse {
+	return &management.ApplicationSearchResponse{
+		Offset:      response.Offset,
+		Limit:       response.Limit,
+		TotalResult: response.TotalResult,
+		Result:      applicationViewsFromModel(response.Result),
+	}
+}
+
+func applicationViewsFromModel(apps []*proj_model.ApplicationView) []*management.ApplicationView {
+	converted := make([]*management.ApplicationView, len(apps))
+	for i, app := range apps {
+		converted[i] = applicationViewFromModel(app)
+	}
+	return converted
+}
+
+func applicationViewFromModel(application *proj_model.ApplicationView) *management.ApplicationView {
+	creationDate, err := ptypes.TimestampProto(application.CreationDate)
+	logging.Log("GRPC-lo9sw").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(application.ChangeDate)
+	logging.Log("GRPC-8uwsd").OnError(err).Debug("unable to parse timestamp")
+
+	converted := &management.ApplicationView{
+		Id:           application.ID,
+		State:        appStateFromModel(application.State),
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Name:         application.Name,
+		Sequence:     application.Sequence,
+	}
+	if application.IsOIDC {
+		converted.AppConfig = &management.ApplicationView_OidcConfig{
+			OidcConfig: oidcConfigFromApplicationViewModel(application),
+		}
+	}
+	return converted
+}
+
+func appStateFromModel(state proj_model.AppState) management.AppState {
+	switch state {
+	case proj_model.AppStateActive:
+		return management.AppState_APPSTATE_ACTIVE
+	case proj_model.AppStateInactive:
+		return management.AppState_APPSTATE_INACTIVE
+	default:
+		return management.AppState_APPSTATE_UNSPECIFIED
+	}
+}
+
+func oidcResponseTypesToModel(responseTypes []management.OIDCResponseType) []proj_model.OIDCResponseType {
+	if responseTypes == nil || len(responseTypes) == 0 {
+		return []proj_model.OIDCResponseType{proj_model.OIDCResponseTypeCode}
+	}
+	oidcResponseTypes := make([]proj_model.OIDCResponseType, len(responseTypes))
+
+	for i, responseType := range responseTypes {
+		switch responseType {
+		case management.OIDCResponseType_OIDCRESPONSETYPE_CODE:
+			oidcResponseTypes[i] = proj_model.OIDCResponseTypeCode
+		case management.OIDCResponseType_OIDCRESPONSETYPE_ID_TOKEN:
+			oidcResponseTypes[i] = proj_model.OIDCResponseTypeIDToken
+		case management.OIDCResponseType_OIDCRESPONSETYPE_TOKEN:
+			oidcResponseTypes[i] = proj_model.OIDCResponseTypeToken
+		}
+	}
+
+	return oidcResponseTypes
+}
+
+func oidcResponseTypesFromModel(responseTypes []proj_model.OIDCResponseType) []management.OIDCResponseType {
+	oidcResponseTypes := make([]management.OIDCResponseType, len(responseTypes))
+
+	for i, responseType := range responseTypes {
+		switch responseType {
+		case proj_model.OIDCResponseTypeCode:
+			oidcResponseTypes[i] = management.OIDCResponseType_OIDCRESPONSETYPE_CODE
+		case proj_model.OIDCResponseTypeIDToken:
+			oidcResponseTypes[i] = management.OIDCResponseType_OIDCRESPONSETYPE_ID_TOKEN
+		case proj_model.OIDCResponseTypeToken:
+			oidcResponseTypes[i] = management.OIDCResponseType_OIDCRESPONSETYPE_TOKEN
+		}
+	}
+
+	return oidcResponseTypes
+}
+
+func oidcGrantTypesToModel(grantTypes []management.OIDCGrantType) []proj_model.OIDCGrantType {
+	if grantTypes == nil || len(grantTypes) == 0 {
+		return []proj_model.OIDCGrantType{proj_model.OIDCGrantTypeAuthorizationCode}
+	}
+	oidcGrantTypes := make([]proj_model.OIDCGrantType, len(grantTypes))
+
+	for i, grantType := range grantTypes {
+		switch grantType {
+		case management.OIDCGrantType_OIDCGRANTTYPE_AUTHORIZATION_CODE:
+			oidcGrantTypes[i] = proj_model.OIDCGrantTypeAuthorizationCode
+		case management.OIDCGrantType_OIDCGRANTTYPE_IMPLICIT:
+			oidcGrantTypes[i] = proj_model.OIDCGrantTypeImplicit
+		case management.OIDCGrantType_OIDCGRANTTYPE_REFRESH_TOKEN:
+			oidcGrantTypes[i] = proj_model.OIDCGrantTypeRefreshToken
+		}
+	}
+	return oidcGrantTypes
+}
+
+func oidcGrantTypesFromModel(grantTypes []proj_model.OIDCGrantType) []management.OIDCGrantType {
+	oidcGrantTypes := make([]management.OIDCGrantType, len(grantTypes))
+
+	for i, grantType := range grantTypes {
+		switch grantType {
+		case proj_model.OIDCGrantTypeAuthorizationCode:
+			oidcGrantTypes[i] = management.OIDCGrantType_OIDCGRANTTYPE_AUTHORIZATION_CODE
+		case proj_model.OIDCGrantTypeImplicit:
+			oidcGrantTypes[i] = management.OIDCGrantType_OIDCGRANTTYPE_IMPLICIT
+		case proj_model.OIDCGrantTypeRefreshToken:
+			oidcGrantTypes[i] = management.OIDCGrantType_OIDCGRANTTYPE_REFRESH_TOKEN
+		}
+	}
+	return oidcGrantTypes
+}
+
+func oidcApplicationTypeToModel(appType management.OIDCApplicationType) proj_model.OIDCApplicationType {
+	switch appType {
+	case management.OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB:
+		return proj_model.OIDCApplicationTypeWeb
+	case management.OIDCApplicationType_OIDCAPPLICATIONTYPE_USER_AGENT:
+		return proj_model.OIDCApplicationTypeUserAgent
+	case management.OIDCApplicationType_OIDCAPPLICATIONTYPE_NATIVE:
+		return proj_model.OIDCApplicationTypeNative
+	}
+	return proj_model.OIDCApplicationTypeWeb
+}
+
+func oidcApplicationTypeFromModel(appType proj_model.OIDCApplicationType) management.OIDCApplicationType {
+	switch appType {
+	case proj_model.OIDCApplicationTypeWeb:
+		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB
+	case proj_model.OIDCApplicationTypeUserAgent:
+		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_USER_AGENT
+	case proj_model.OIDCApplicationTypeNative:
+		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_NATIVE
+	default:
+		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB
+	}
+}
+
+func oidcAuthMethodTypeToModel(authType management.OIDCAuthMethodType) proj_model.OIDCAuthMethodType {
+	switch authType {
+	case management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC:
+		return proj_model.OIDCAuthMethodTypeBasic
+	case management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_POST:
+		return proj_model.OIDCAuthMethodTypePost
+	case management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_NONE:
+		return proj_model.OIDCAuthMethodTypeNone
+	default:
+		return proj_model.OIDCAuthMethodTypeBasic
+	}
+}
+
+func oidcAuthMethodTypeFromModel(authType proj_model.OIDCAuthMethodType) management.OIDCAuthMethodType {
+	switch authType {
+	case proj_model.OIDCAuthMethodTypeBasic:
+		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC
+	case proj_model.OIDCAuthMethodTypePost:
+		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_POST
+	case proj_model.OIDCAuthMethodTypeNone:
+		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_NONE
+	default:
+		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC
+	}
+}
+
+func appChangesToResponse(response *proj_model.ApplicationChanges, offset uint64, limit uint64) (_ *management.Changes) {
+	return &management.Changes{
+		Limit:   limit,
+		Offset:  offset,
+		Changes: appChangesToMgtAPI(response),
+	}
+}
+
+func appChangesToMgtAPI(changes *proj_model.ApplicationChanges) (_ []*management.Change) {
+	result := make([]*management.Change, len(changes.Changes))
+
+	for i, change := range changes.Changes {
+		b, err := json.Marshal(change.Data)
+		data := &structpb.Struct{}
+		err = protojson.Unmarshal(b, data)
+		if err != nil {
+		}
+		result[i] = &management.Change{
+			ChangeDate: change.ChangeDate,
+			EventType:  message.NewLocalizedEventType(change.EventType),
+			Sequence:   change.Sequence,
+			Editor:     change.ModifierName,
+			EditorId:   change.ModifierId,
+			Data:       data,
+		}
+	}
+
+	return result
+}

internal/api/grpc/management/gateway.go

@@ -0,0 +1,50 @@
+package management
+
+import (
+	"strings"
+
+	"github.com/grpc-ecosystem/grpc-gateway/runtime"
+
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+type Gateway struct {
+	grpcEndpoint string
+	port         string
+	cutomHeaders []string
+}
+
+func StartGateway(conf grpc_util.GatewayConfig) *Gateway {
+	return &Gateway{
+		grpcEndpoint: conf.GRPCEndpoint,
+		port:         conf.Port,
+		cutomHeaders: conf.CustomHeaders,
+	}
+}
+
+func (gw *Gateway) Gateway() server.GatewayFunc {
+	return management.RegisterManagementServiceHandlerFromEndpoint
+}
+
+func (gw *Gateway) GRPCEndpoint() string {
+	return ":" + gw.grpcEndpoint
+}
+
+func (gw *Gateway) GatewayPort() string {
+	return gw.port
+}
+
+func (gw *Gateway) GatewayServeMuxOptions() []runtime.ServeMuxOption {
+	return []runtime.ServeMuxOption{
+		runtime.WithIncomingHeaderMatcher(func(header string) (string, bool) {
+			for _, customHeader := range gw.cutomHeaders {
+				if strings.HasPrefix(strings.ToLower(header), customHeader) {
+					return header, true
+				}
+			}
+			return runtime.DefaultHeaderMatcher(header)
+		}),
+	}
+}

internal/api/grpc/management/iam.go

@@ -0,0 +1,17 @@
+package management
+
+import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetIam(ctx context.Context, _ *empty.Empty) (*management.Iam, error) {
+	iam, err := s.iam.IamByID(ctx, s.systemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	return iamFromModel(iam), nil
+}

internal/api/grpc/management/iam_converter.go

@@ -0,0 +1,15 @@
+package management
+
+import (
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func iamFromModel(iam *iam_model.Iam) *management.Iam {
+	return &management.Iam{
+		IamProjectId: iam.IamProjectID,
+		GlobalOrgId:  iam.GlobalOrgID,
+		SetUpDone:    iam.SetUpDone,
+		SetUpStarted: iam.SetUpStarted,
+	}
+}

internal/api/grpc/management/org.go

@@ -0,0 +1,79 @@
+package management
+
+import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetMyOrg(ctx context.Context, _ *empty.Empty) (*management.OrgView, error) {
+	org, err := s.org.OrgByID(ctx, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return orgViewFromModel(org), nil
+}
+
+func (s *Server) GetOrgByDomainGlobal(ctx context.Context, in *management.Domain) (*management.OrgView, error) {
+	org, err := s.org.OrgByDomainGlobal(ctx, in.Domain)
+	if err != nil {
+		return nil, err
+	}
+	return orgViewFromModel(org), nil
+}
+
+func (s *Server) DeactivateMyOrg(ctx context.Context, _ *empty.Empty) (*management.Org, error) {
+	org, err := s.org.DeactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return orgFromModel(org), nil
+}
+
+func (s *Server) ReactivateMyOrg(ctx context.Context, _ *empty.Empty) (*management.Org, error) {
+	org, err := s.org.ReactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return orgFromModel(org), nil
+}
+
+func (s *Server) SearchMyOrgDomains(ctx context.Context, in *management.OrgDomainSearchRequest) (*management.OrgDomainSearchResponse, error) {
+	domains, err := s.org.SearchMyOrgDomains(ctx, orgDomainSearchRequestToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return orgDomainSearchResponseFromModel(domains), nil
+}
+
+func (s *Server) AddMyOrgDomain(ctx context.Context, in *management.AddOrgDomainRequest) (*management.OrgDomain, error) {
+	domain, err := s.org.AddMyOrgDomain(ctx, addOrgDomainToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return orgDomainFromModel(domain), nil
+}
+
+func (s *Server) RemoveMyOrgDomain(ctx context.Context, in *management.RemoveOrgDomainRequest) (*empty.Empty, error) {
+	err := s.org.RemoveMyOrgDomain(ctx, in.Domain)
+	return &empty.Empty{}, err
+}
+
+func (s *Server) OrgChanges(ctx context.Context, changesRequest *management.ChangeRequest) (*management.Changes, error) {
+	response, err := s.org.OrgChanges(ctx, changesRequest.Id, changesRequest.SequenceOffset, changesRequest.Limit, changesRequest.Asc)
+	if err != nil {
+		return nil, err
+	}
+	return orgChangesToResponse(response, changesRequest.GetSequenceOffset(), changesRequest.GetLimit()), nil
+}
+
+func (s *Server) GetMyOrgIamPolicy(ctx context.Context, _ *empty.Empty) (_ *management.OrgIamPolicy, err error) {
+	policy, err := s.org.GetMyOrgIamPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return orgIamPolicyFromModel(policy), err
+}

internal/api/grpc/management/org_converter.go

@@ -0,0 +1,195 @@
+package management
+
+import (
+	"encoding/json"
+
+	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/types/known/structpb"
+
+	org_model "github.com/caos/zitadel/internal/org/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/caos/zitadel/pkg/grpc/message"
+)
+
+func orgsFromModel(orgs []*org_model.Org) []*management.Org {
+	orgList := make([]*management.Org, len(orgs))
+	for i, org := range orgs {
+		orgList[i] = orgFromModel(org)
+	}
+	return orgList
+}
+
+func orgFromModel(org *org_model.Org) *management.Org {
+	creationDate, err := ptypes.TimestampProto(org.CreationDate)
+	logging.Log("GRPC-GTHsZ").OnError(err).Debug("unable to get timestamp from time")
+
+	changeDate, err := ptypes.TimestampProto(org.ChangeDate)
+	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")
+
+	return &management.Org{
+		ChangeDate:   changeDate,
+		CreationDate: creationDate,
+		Id:           org.AggregateID,
+		Name:         org.Name,
+		State:        orgStateFromModel(org.State),
+	}
+}
+
+func orgViewFromModel(org *org_model.OrgView) *management.OrgView {
+	creationDate, err := ptypes.TimestampProto(org.CreationDate)
+	logging.Log("GRPC-GTHsZ").OnError(err).Debug("unable to get timestamp from time")
+
+	changeDate, err := ptypes.TimestampProto(org.ChangeDate)
+	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")
+
+	return &management.OrgView{
+		ChangeDate:   changeDate,
+		CreationDate: creationDate,
+		Id:           org.ID,
+		Name:         org.Name,
+		State:        orgStateFromModel(org.State),
+	}
+}
+
+func orgStateFromModel(state org_model.OrgState) management.OrgState {
+	switch state {
+	case org_model.OrgStateActive:
+		return management.OrgState_ORGSTATE_ACTIVE
+	case org_model.OrgStateInactive:
+		return management.OrgState_ORGSTATE_INACTIVE
+	default:
+		return management.OrgState_ORGSTATE_UNSPECIFIED
+	}
+}
+
+func addOrgDomainToModel(domain *management.AddOrgDomainRequest) *org_model.OrgDomain {
+	return &org_model.OrgDomain{Domain: domain.Domain}
+}
+
+func orgDomainFromModel(domain *org_model.OrgDomain) *management.OrgDomain {
+	creationDate, err := ptypes.TimestampProto(domain.CreationDate)
+	logging.Log("GRPC-u8Ksj").OnError(err).Debug("unable to get timestamp from time")
+
+	changeDate, err := ptypes.TimestampProto(domain.ChangeDate)
+	logging.Log("GRPC-9osFS").OnError(err).Debug("unable to get timestamp from time")
+
+	return &management.OrgDomain{
+		ChangeDate:   changeDate,
+		CreationDate: creationDate,
+		OrgId:        domain.AggregateID,
+		Domain:       domain.Domain,
+		Verified:     domain.Verified,
+		Primary:      domain.Primary,
+	}
+}
+
+func orgDomainViewFromModel(domain *org_model.OrgDomainView) *management.OrgDomainView {
+	creationDate, err := ptypes.TimestampProto(domain.CreationDate)
+	logging.Log("GRPC-7sjDs").OnError(err).Debug("unable to get timestamp from time")
+
+	changeDate, err := ptypes.TimestampProto(domain.ChangeDate)
+	logging.Log("GRPC-8iSji").OnError(err).Debug("unable to get timestamp from time")
+
+	return &management.OrgDomainView{
+		ChangeDate:   changeDate,
+		CreationDate: creationDate,
+		OrgId:        domain.OrgID,
+		Domain:       domain.Domain,
+		Verified:     domain.Verified,
+		Primary:      domain.Primary,
+	}
+}
+
+func orgDomainSearchRequestToModel(request *management.OrgDomainSearchRequest) *org_model.OrgDomainSearchRequest {
+	return &org_model.OrgDomainSearchRequest{
+		Limit:   request.Limit,
+		Offset:  request.Offset,
+		Queries: orgDomainSearchQueriesToModel(request.Queries),
+	}
+}
+
+func orgDomainSearchQueriesToModel(queries []*management.OrgDomainSearchQuery) []*org_model.OrgDomainSearchQuery {
+	modelQueries := make([]*org_model.OrgDomainSearchQuery, len(queries))
+
+	for i, query := range queries {
+		modelQueries[i] = orgDomainSearchQueryToModel(query)
+	}
+
+	return modelQueries
+}
+
+func orgDomainSearchQueryToModel(query *management.OrgDomainSearchQuery) *org_model.OrgDomainSearchQuery {
+	return &org_model.OrgDomainSearchQuery{
+		Key:    orgDomainSearchKeyToModel(query.Key),
+		Method: searchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func orgDomainSearchKeyToModel(key management.OrgDomainSearchKey) org_model.OrgDomainSearchKey {
+	switch key {
+	case management.OrgDomainSearchKey_ORGDOMAINSEARCHKEY_DOMAIN:
+		return org_model.OrgDomainSearchKeyDomain
+	default:
+		return org_model.OrgDomainSearchKeyUnspecified
+	}
+}
+
+func orgDomainSearchResponseFromModel(resp *org_model.OrgDomainSearchResponse) *management.OrgDomainSearchResponse {
+	return &management.OrgDomainSearchResponse{
+		Limit:       resp.Limit,
+		Offset:      resp.Offset,
+		TotalResult: resp.TotalResult,
+		Result:      orgDomainsFromModel(resp.Result),
+	}
+}
+func orgDomainsFromModel(viewDomains []*org_model.OrgDomainView) []*management.OrgDomainView {
+	domains := make([]*management.OrgDomainView, len(viewDomains))
+
+	for i, domain := range viewDomains {
+		domains[i] = orgDomainViewFromModel(domain)
+	}
+
+	return domains
+}
+
+func orgChangesToResponse(response *org_model.OrgChanges, offset uint64, limit uint64) (_ *management.Changes) {
+	return &management.Changes{
+		Limit:   limit,
+		Offset:  offset,
+		Changes: orgChangesToMgtAPI(response),
+	}
+}
+
+func orgChangesToMgtAPI(changes *org_model.OrgChanges) (_ []*management.Change) {
+	result := make([]*management.Change, len(changes.Changes))
+
+	for i, change := range changes.Changes {
+		b, err := json.Marshal(change.Data)
+		data := &structpb.Struct{}
+		err = protojson.Unmarshal(b, data)
+		if err != nil {
+		}
+		result[i] = &management.Change{
+			ChangeDate: change.ChangeDate,
+			EventType:  message.NewLocalizedEventType(change.EventType),
+			Sequence:   change.Sequence,
+			Data:       data,
+			Editor:     change.ModifierName,
+			EditorId:   change.ModifierId,
+		}
+	}
+
+	return result
+}
+
+func orgIamPolicyFromModel(policy *org_model.OrgIamPolicy) *management.OrgIamPolicy {
+	return &management.OrgIamPolicy{
+		OrgId:                 policy.AggregateID,
+		Description:           policy.Description,
+		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+		Default:               policy.Default,
+	}
+}

internal/api/grpc/management/org_member.go

@@ -0,0 +1,43 @@
+package management
+
+import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetOrgMemberRoles(ctx context.Context, _ *empty.Empty) (*management.OrgMemberRoles, error) {
+	return &management.OrgMemberRoles{Roles: s.org.GetOrgMemberRoles()}, nil
+}
+
+func (s *Server) SearchMyOrgMembers(ctx context.Context, in *management.OrgMemberSearchRequest) (*management.OrgMemberSearchResponse, error) {
+	members, err := s.org.SearchMyOrgMembers(ctx, orgMemberSearchRequestToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return orgMemberSearchResponseFromModel(members), nil
+}
+
+func (s *Server) AddMyOrgMember(ctx context.Context, member *management.AddOrgMemberRequest) (*management.OrgMember, error) {
+	addedMember, err := s.org.AddMyOrgMember(ctx, addOrgMemberToModel(member))
+	if err != nil {
+		return nil, err
+	}
+
+	return orgMemberFromModel(addedMember), nil
+}
+
+func (s *Server) ChangeMyOrgMember(ctx context.Context, member *management.ChangeOrgMemberRequest) (*management.OrgMember, error) {
+	changedMember, err := s.org.ChangeMyOrgMember(ctx, changeOrgMemberToModel(member))
+	if err != nil {
+		return nil, err
+	}
+	return orgMemberFromModel(changedMember), nil
+}
+
+func (s *Server) RemoveMyOrgMember(ctx context.Context, member *management.RemoveOrgMemberRequest) (*empty.Empty, error) {
+	err := s.org.RemoveMyOrgMember(ctx, member.UserId)
+	return &empty.Empty{}, err
+}

internal/api/grpc/management/org_member_converter.go

@@ -0,0 +1,141 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
+	"github.com/caos/zitadel/internal/model"
+	org_model "github.com/caos/zitadel/internal/org/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func addOrgMemberToModel(member *management.AddOrgMemberRequest) *org_model.OrgMember {
+	memberModel := &org_model.OrgMember{
+		UserID: member.UserId,
+	}
+	memberModel.Roles = member.Roles
+
+	return memberModel
+}
+
+func changeOrgMemberToModel(member *management.ChangeOrgMemberRequest) *org_model.OrgMember {
+	memberModel := &org_model.OrgMember{
+		UserID: member.UserId,
+	}
+	memberModel.Roles = member.Roles
+
+	return memberModel
+}
+
+func orgMemberFromModel(member *org_model.OrgMember) *management.OrgMember {
+	creationDate, err := ptypes.TimestampProto(member.CreationDate)
+	logging.Log("GRPC-jC5wY").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
+	logging.Log("GRPC-Nc2jJ").OnError(err).Debug("date parse failed")
+
+	return &management.OrgMember{
+		UserId:       member.UserID,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Roles:        member.Roles,
+		Sequence:     member.Sequence,
+	}
+}
+
+func orgMemberSearchRequestToModel(request *management.OrgMemberSearchRequest) *org_model.OrgMemberSearchRequest {
+	return &org_model.OrgMemberSearchRequest{
+		Limit:   request.Limit,
+		Offset:  request.Offset,
+		Queries: orgMemberSearchQueriesToModel(request.Queries),
+	}
+}
+
+func orgMemberSearchQueriesToModel(queries []*management.OrgMemberSearchQuery) []*org_model.OrgMemberSearchQuery {
+	modelQueries := make([]*org_model.OrgMemberSearchQuery, len(queries)+1)
+
+	for i, query := range queries {
+		modelQueries[i] = orgMemberSearchQueryToModel(query)
+	}
+
+	return modelQueries
+}
+
+func orgMemberSearchQueryToModel(query *management.OrgMemberSearchQuery) *org_model.OrgMemberSearchQuery {
+	return &org_model.OrgMemberSearchQuery{
+		Key:    orgMemberSearchKeyToModel(query.Key),
+		Method: orgMemberSearchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func orgMemberSearchKeyToModel(key management.OrgMemberSearchKey) org_model.OrgMemberSearchKey {
+	switch key {
+	case management.OrgMemberSearchKey_ORGMEMBERSEARCHKEY_EMAIL:
+		return org_model.OrgMemberSearchKeyEmail
+	case management.OrgMemberSearchKey_ORGMEMBERSEARCHKEY_FIRST_NAME:
+		return org_model.OrgMemberSearchKeyFirstName
+	case management.OrgMemberSearchKey_ORGMEMBERSEARCHKEY_LAST_NAME:
+		return org_model.OrgMemberSearchKeyLastName
+	case management.OrgMemberSearchKey_ORGMEMBERSEARCHKEY_USER_ID:
+		return org_model.OrgMemberSearchKeyUserID
+	default:
+		return org_model.OrgMemberSearchKeyUnspecified
+	}
+}
+
+func orgMemberSearchMethodToModel(key management.SearchMethod) model.SearchMethod {
+	switch key {
+	case management.SearchMethod_SEARCHMETHOD_CONTAINS:
+		return model.SearchMethodContains
+	case management.SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
+		return model.SearchMethodContainsIgnoreCase
+	case management.SearchMethod_SEARCHMETHOD_EQUALS:
+		return model.SearchMethodEquals
+	case management.SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
+		return model.SearchMethodEqualsIgnoreCase
+	case management.SearchMethod_SEARCHMETHOD_STARTS_WITH:
+		return model.SearchMethodStartsWith
+	case management.SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
+		return model.SearchMethodStartsWithIgnoreCase
+	default:
+		return -1
+	}
+}
+
+func orgMemberSearchResponseFromModel(resp *org_model.OrgMemberSearchResponse) *management.OrgMemberSearchResponse {
+	return &management.OrgMemberSearchResponse{
+		Limit:       resp.Limit,
+		Offset:      resp.Offset,
+		TotalResult: resp.TotalResult,
+		Result:      orgMembersFromView(resp.Result),
+	}
+}
+func orgMembersFromView(viewMembers []*org_model.OrgMemberView) []*management.OrgMemberView {
+	members := make([]*management.OrgMemberView, len(viewMembers))
+
+	for i, member := range viewMembers {
+		members[i] = orgMemberFromView(member)
+	}
+
+	return members
+}
+
+func orgMemberFromView(member *org_model.OrgMemberView) *management.OrgMemberView {
+	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
+	logging.Log("GRPC-S9LAZ").OnError(err).Debug("unable to parse changedate")
+	creationDate, err := ptypes.TimestampProto(member.CreationDate)
+	logging.Log("GRPC-oJN56").OnError(err).Debug("unable to parse creation date")
+
+	return &management.OrgMemberView{
+		ChangeDate:   changeDate,
+		CreationDate: creationDate,
+		Roles:        member.Roles,
+		Sequence:     member.Sequence,
+		UserId:       member.UserID,
+		UserName:     member.UserName,
+		Email:        member.Email,
+		FirstName:    member.FirstName,
+		LastName:     member.LastName,
+	}
+}

internal/api/grpc/management/policy.go

@@ -0,0 +1,103 @@
+package management
+
+import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) CreatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyCreate) (*management.PasswordComplexityPolicy, error) {
+	policyresp, err := s.policy.CreatePasswordComplexityPolicy(ctx, passwordComplexityPolicyCreateToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+
+	return passwordComplexityPolicyFromModel(policyresp), nil
+}
+
+func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordComplexityPolicy, error) {
+	policy, err := s.policy.GetPasswordComplexityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return passwordComplexityPolicyFromModel(policy), nil
+}
+
+func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyUpdate) (*management.PasswordComplexityPolicy, error) {
+	policyresp, err := s.policy.UpdatePasswordComplexityPolicy(ctx, passwordComplexityPolicyUpdateToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+
+	return passwordComplexityPolicyFromModel(policyresp), nil
+}
+
+func (s *Server) DeletePasswordComplexityPolicy(ctx context.Context, ID *management.PasswordComplexityPolicyID) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-skw3f", "Not implemented")
+}
+
+func (s *Server) CreatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyCreate) (*management.PasswordAgePolicy, error) {
+	policyresp, err := s.policy.CreatePasswordAgePolicy(ctx, passwordAgePolicyCreateToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+
+	return passwordAgePolicyFromModel(policyresp), nil
+}
+
+func (s *Server) GetPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordAgePolicy, error) {
+	policy, err := s.policy.GetPasswordAgePolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return passwordAgePolicyFromModel(policy), nil
+}
+
+func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyUpdate) (*management.PasswordAgePolicy, error) {
+	policyresp, err := s.policy.UpdatePasswordAgePolicy(ctx, passwordAgePolicyUpdateToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+
+	return passwordAgePolicyFromModel(policyresp), nil
+}
+
+func (s *Server) DeletePasswordAgePolicy(ctx context.Context, ID *management.PasswordAgePolicyID) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-plo67", "Not implemented")
+}
+
+func (s *Server) CreatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyCreate) (*management.PasswordLockoutPolicy, error) {
+	policyresp, err := s.policy.CreatePasswordLockoutPolicy(ctx, passwordLockoutPolicyCreateToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+
+	return passwordLockoutPolicyFromModel(policyresp), nil
+}
+
+func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordLockoutPolicy, error) {
+	policy, err := s.policy.GetPasswordLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return passwordLockoutPolicyFromModel(policy), nil
+}
+
+func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyUpdate) (*management.PasswordLockoutPolicy, error) {
+	policyresp, err := s.policy.UpdatePasswordLockoutPolicy(ctx, passwordLockoutPolicyUpdateToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+
+	return passwordLockoutPolicyFromModel(policyresp), nil
+}
+
+func (s *Server) DeletePasswordLockoutPolicy(ctx context.Context, ID *management.PasswordLockoutPolicyID) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-GHkd9", "Not implemented")
+}

internal/api/grpc/management/policy_age_converter.go

@@ -0,0 +1,68 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/policy/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func passwordAgePolicyFromModel(policy *model.PasswordAgePolicy) *management.PasswordAgePolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-6ILdB").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-ngUzJ").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.PasswordAgePolicy{
+		Id:             policy.AggregateID,
+		CreationDate:   creationDate,
+		ChangeDate:     changeDate,
+		Sequence:       policy.Sequence,
+		Description:    policy.Description,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		MaxAgeDays:     policy.MaxAgeDays,
+		IsDefault:      policy.AggregateID == "",
+	}
+}
+
+func passwordAgePolicyToModel(policy *management.PasswordAgePolicy) *model.PasswordAgePolicy {
+	creationDate, err := ptypes.Timestamp(policy.CreationDate)
+	logging.Log("GRPC-2QSfU").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.Timestamp(policy.ChangeDate)
+	logging.Log("GRPC-LdU91").OnError(err).Debug("unable to parse timestamp")
+
+	return &model.PasswordAgePolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID:  policy.Id,
+			CreationDate: creationDate,
+			ChangeDate:   changeDate,
+			Sequence:     policy.Sequence,
+		},
+		Description:    policy.Description,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		MaxAgeDays:     policy.MaxAgeDays,
+	}
+}
+
+func passwordAgePolicyCreateToModel(policy *management.PasswordAgePolicyCreate) *model.PasswordAgePolicy {
+	return &model.PasswordAgePolicy{
+		Description:    policy.Description,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		MaxAgeDays:     policy.MaxAgeDays,
+	}
+}
+
+func passwordAgePolicyUpdateToModel(policy *management.PasswordAgePolicyUpdate) *model.PasswordAgePolicy {
+	return &model.PasswordAgePolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: policy.Id,
+		},
+		Description:    policy.Description,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		MaxAgeDays:     policy.MaxAgeDays,
+	}
+}

internal/api/grpc/management/policy_complexity_converter.go

@@ -0,0 +1,81 @@
+package management
+
+import (
+	"github.com/caos/logging"
+
+	"github.com/golang/protobuf/ptypes"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/policy/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func passwordComplexityPolicyFromModel(policy *model.PasswordComplexityPolicy) *management.PasswordComplexityPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-cQRHE").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-PVA1c").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.PasswordComplexityPolicy{
+		Id:           policy.AggregateID,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Description:  policy.Description,
+		Sequence:     policy.Sequence,
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+		IsDefault:    policy.AggregateID == "",
+	}
+}
+
+func passwordComplexityPolicyToModel(policy *management.PasswordComplexityPolicy) *model.PasswordComplexityPolicy {
+	creationDate, err := ptypes.Timestamp(policy.CreationDate)
+	logging.Log("GRPC-asmEZ").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.Timestamp(policy.ChangeDate)
+	logging.Log("GRPC-MCE4o").OnError(err).Debug("unable to parse timestamp")
+
+	return &model.PasswordComplexityPolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID:  policy.Id,
+			CreationDate: creationDate,
+			ChangeDate:   changeDate,
+			Sequence:     policy.Sequence,
+		},
+		Description:  policy.Description,
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+	}
+}
+
+func passwordComplexityPolicyCreateToModel(policy *management.PasswordComplexityPolicyCreate) *model.PasswordComplexityPolicy {
+	return &model.PasswordComplexityPolicy{
+		Description:  policy.Description,
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+	}
+}
+
+func passwordComplexityPolicyUpdateToModel(policy *management.PasswordComplexityPolicyUpdate) *model.PasswordComplexityPolicy {
+	return &model.PasswordComplexityPolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: policy.Id,
+		},
+		Description:  policy.Description,
+		MinLength:    policy.MinLength,
+		HasLowercase: policy.HasLowercase,
+		HasUppercase: policy.HasUppercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+	}
+}

internal/api/grpc/management/policy_lockout_converter.go

@@ -0,0 +1,70 @@
+package management
+
+import (
+	"github.com/caos/logging"
+
+	"github.com/golang/protobuf/ptypes"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/policy/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func passwordLockoutPolicyFromModel(policy *model.PasswordLockoutPolicy) *management.PasswordLockoutPolicy {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("GRPC-JRSbT").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("GRPC-1sizr").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.PasswordLockoutPolicy{
+		Id:                  policy.AggregateID,
+		CreationDate:        creationDate,
+		ChangeDate:          changeDate,
+		Sequence:            policy.Sequence,
+		Description:         policy.Description,
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockOutFailures,
+		IsDefault:           policy.AggregateID == "",
+	}
+}
+
+func passwordLockoutPolicyToModel(policy *management.PasswordLockoutPolicy) *model.PasswordLockoutPolicy {
+	creationDate, err := ptypes.Timestamp(policy.CreationDate)
+	logging.Log("GRPC-8a511").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.Timestamp(policy.ChangeDate)
+	logging.Log("GRPC-2rdGv").OnError(err).Debug("unable to parse timestamp")
+
+	return &model.PasswordLockoutPolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID:  policy.Id,
+			CreationDate: creationDate,
+			ChangeDate:   changeDate,
+			Sequence:     policy.Sequence,
+		},
+		Description: policy.Description,
+
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockOutFailures,
+	}
+}
+
+func passwordLockoutPolicyCreateToModel(policy *management.PasswordLockoutPolicyCreate) *model.PasswordLockoutPolicy {
+	return &model.PasswordLockoutPolicy{
+		Description:         policy.Description,
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockOutFailures,
+	}
+}
+
+func passwordLockoutPolicyUpdateToModel(policy *management.PasswordLockoutPolicyUpdate) *model.PasswordLockoutPolicy {
+	return &model.PasswordLockoutPolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: policy.Id,
+		},
+		Description:         policy.Description,
+		MaxAttempts:         policy.MaxAttempts,
+		ShowLockOutFailures: policy.ShowLockOutFailures,
+	}
+}

internal/api/grpc/management/probes.go

@@ -0,0 +1,20 @@
+package management
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+	pb_struct "github.com/golang/protobuf/ptypes/struct"
+)
+
+func (s *Server) Healthz(_ context.Context, e *empty.Empty) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mkd3y", "Not implemented")
+}
+
+func (s *Server) Ready(ctx context.Context, e *empty.Empty) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-pl6BM", "Not implemented")
+}
+
+func (s *Server) Validate(ctx context.Context, _ *empty.Empty) (*pb_struct.Struct, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-2wxF", "Not implemented")
+}

internal/api/grpc/management/project.go

@@ -0,0 +1,122 @@
+package management
+
+import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) CreateProject(ctx context.Context, in *management.ProjectCreateRequest) (*management.Project, error) {
+	project, err := s.project.CreateProject(ctx, in.Name)
+	if err != nil {
+		return nil, err
+	}
+	return projectFromModel(project), nil
+}
+func (s *Server) UpdateProject(ctx context.Context, in *management.ProjectUpdateRequest) (*management.Project, error) {
+	project, err := s.project.UpdateProject(ctx, projectUpdateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return projectFromModel(project), nil
+}
+func (s *Server) DeactivateProject(ctx context.Context, in *management.ProjectID) (*management.Project, error) {
+	project, err := s.project.DeactivateProject(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return projectFromModel(project), nil
+}
+func (s *Server) ReactivateProject(ctx context.Context, in *management.ProjectID) (*management.Project, error) {
+	project, err := s.project.ReactivateProject(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return projectFromModel(project), nil
+}
+
+func (s *Server) SearchProjects(ctx context.Context, in *management.ProjectSearchRequest) (*management.ProjectSearchResponse, error) {
+	request := projectSearchRequestsToModel(in)
+	request.AppendMyResourceOwnerQuery(grpc_util.GetHeader(ctx, http.ZitadelOrgID))
+	response, err := s.project.SearchProjects(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+	return projectSearchResponseFromModel(response), nil
+}
+
+func (s *Server) ProjectByID(ctx context.Context, id *management.ProjectID) (*management.ProjectView, error) {
+	project, err := s.project.ProjectByID(ctx, id.Id)
+	if err != nil {
+		return nil, err
+	}
+	return projectViewFromModel(project), nil
+}
+
+func (s *Server) SearchGrantedProjects(ctx context.Context, in *management.GrantedProjectSearchRequest) (*management.ProjectGrantSearchResponse, error) {
+	request := grantedProjectSearchRequestsToModel(in)
+	request.AppendMyOrgQuery(grpc_util.GetHeader(ctx, http.ZitadelOrgID))
+	response, err := s.project.SearchProjectGrants(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+	return projectGrantSearchResponseFromModel(response), nil
+}
+
+func (s *Server) GetGrantedProjectByID(ctx context.Context, in *management.ProjectGrantID) (*management.ProjectGrantView, error) {
+	project, err := s.project.ProjectGrantViewByID(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return projectGrantFromGrantedProjectModel(project), nil
+}
+
+func (s *Server) AddProjectRole(ctx context.Context, in *management.ProjectRoleAdd) (*management.ProjectRole, error) {
+	role, err := s.project.AddProjectRole(ctx, projectRoleAddToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return projectRoleFromModel(role), nil
+}
+
+func (s *Server) BulkAddProjectRole(ctx context.Context, in *management.ProjectRoleAddBulk) (*empty.Empty, error) {
+	err := s.project.BulkAddProjectRole(ctx, projectRoleAddBulkToModel(in))
+	return &empty.Empty{}, err
+}
+
+func (s *Server) ChangeProjectRole(ctx context.Context, in *management.ProjectRoleChange) (*management.ProjectRole, error) {
+	role, err := s.project.ChangeProjectRole(ctx, projectRoleChangeToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return projectRoleFromModel(role), nil
+}
+
+func (s *Server) RemoveProjectRole(ctx context.Context, in *management.ProjectRoleRemove) (*empty.Empty, error) {
+	err := s.project.RemoveProjectRole(ctx, in.Id, in.Key)
+	return &empty.Empty{}, err
+}
+
+func (s *Server) SearchProjectRoles(ctx context.Context, in *management.ProjectRoleSearchRequest) (*management.ProjectRoleSearchResponse, error) {
+	request := projectRoleSearchRequestsToModel(in)
+	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
+	request.AppendProjectQuery(in.ProjectId)
+	response, err := s.project.SearchProjectRoles(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+	return projectRoleSearchResponseFromModel(response), nil
+}
+
+func (s *Server) ProjectChanges(ctx context.Context, changesRequest *management.ChangeRequest) (*management.Changes, error) {
+	response, err := s.project.ProjectChanges(ctx, changesRequest.Id, changesRequest.SequenceOffset, changesRequest.Limit, changesRequest.Asc)
+	if err != nil {
+		return nil, err
+	}
+	return projectChangesToResponse(response, changesRequest.GetSequenceOffset(), changesRequest.GetLimit()), nil
+}

internal/api/grpc/management/project_converter.go

@@ -0,0 +1,302 @@
+package management
+
+import (
+	"encoding/json"
+
+	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/caos/zitadel/pkg/grpc/message"
+)
+
+func projectFromModel(project *proj_model.Project) *management.Project {
+	creationDate, err := ptypes.TimestampProto(project.CreationDate)
+	logging.Log("GRPC-iejs3").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(project.ChangeDate)
+	logging.Log("GRPC-di7rw").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.Project{
+		Id:           project.AggregateID,
+		State:        projectStateFromModel(project.State),
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Name:         project.Name,
+		Sequence:     project.Sequence,
+	}
+}
+
+func projectSearchResponseFromModel(response *proj_model.ProjectViewSearchResponse) *management.ProjectSearchResponse {
+	return &management.ProjectSearchResponse{
+		Offset:      response.Offset,
+		Limit:       response.Limit,
+		TotalResult: response.TotalResult,
+		Result:      projectViewsFromModel(response.Result),
+	}
+}
+
+func projectViewsFromModel(projects []*proj_model.ProjectView) []*management.ProjectView {
+	converted := make([]*management.ProjectView, len(projects))
+	for i, project := range projects {
+		converted[i] = projectViewFromModel(project)
+	}
+	return converted
+}
+
+func projectViewFromModel(project *proj_model.ProjectView) *management.ProjectView {
+	creationDate, err := ptypes.TimestampProto(project.CreationDate)
+	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(project.ChangeDate)
+	logging.Log("GRPC-sope3").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.ProjectView{
+		ProjectId:     project.ProjectID,
+		State:         projectStateFromModel(project.State),
+		CreationDate:  creationDate,
+		ChangeDate:    changeDate,
+		Name:          project.Name,
+		Sequence:      project.Sequence,
+		ResourceOwner: project.ResourceOwner,
+	}
+}
+
+func projectRoleSearchResponseFromModel(response *proj_model.ProjectRoleSearchResponse) *management.ProjectRoleSearchResponse {
+	return &management.ProjectRoleSearchResponse{
+		Offset:      response.Offset,
+		Limit:       response.Limit,
+		TotalResult: response.TotalResult,
+		Result:      projectRoleViewsFromModel(response.Result),
+	}
+}
+
+func projectRoleViewsFromModel(roles []*proj_model.ProjectRoleView) []*management.ProjectRoleView {
+	converted := make([]*management.ProjectRoleView, len(roles))
+	for i, role := range roles {
+		converted[i] = projectRoleViewFromModel(role)
+	}
+	return converted
+}
+
+func projectRoleViewFromModel(role *proj_model.ProjectRoleView) *management.ProjectRoleView {
+	creationDate, err := ptypes.TimestampProto(role.CreationDate)
+	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.ProjectRoleView{
+		ProjectId:    role.ProjectID,
+		CreationDate: creationDate,
+		Key:          role.Key,
+		Group:        role.Group,
+		DisplayName:  role.DisplayName,
+		Sequence:     role.Sequence,
+	}
+}
+
+func projectStateFromModel(state proj_model.ProjectState) management.ProjectState {
+	switch state {
+	case proj_model.ProjectStateActive:
+		return management.ProjectState_PROJECTSTATE_ACTIVE
+	case proj_model.ProjectStateInactive:
+		return management.ProjectState_PROJECTSTATE_INACTIVE
+	default:
+		return management.ProjectState_PROJECTSTATE_UNSPECIFIED
+	}
+}
+
+func projectUpdateToModel(project *management.ProjectUpdateRequest) *proj_model.Project {
+	return &proj_model.Project{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: project.Id,
+		},
+		Name: project.Name,
+	}
+}
+
+func projectRoleFromModel(role *proj_model.ProjectRole) *management.ProjectRole {
+	creationDate, err := ptypes.TimestampProto(role.CreationDate)
+	logging.Log("GRPC-due83").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(role.ChangeDate)
+	logging.Log("GRPC-id93s").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.ProjectRole{
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Sequence:     role.Sequence,
+		Key:          role.Key,
+		DisplayName:  role.DisplayName,
+		Group:        role.Group,
+	}
+}
+
+func projectRoleAddBulkToModel(bulk *management.ProjectRoleAddBulk) []*proj_model.ProjectRole {
+	roles := make([]*proj_model.ProjectRole, len(bulk.ProjectRoles))
+	for i, role := range bulk.ProjectRoles {
+		roles[i] = &proj_model.ProjectRole{
+			ObjectRoot: models.ObjectRoot{
+				AggregateID: bulk.Id,
+			},
+			Key:         role.Key,
+			DisplayName: role.DisplayName,
+			Group:       role.Group,
+		}
+	}
+	return roles
+}
+
+func projectRoleAddToModel(role *management.ProjectRoleAdd) *proj_model.ProjectRole {
+	return &proj_model.ProjectRole{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: role.Id,
+		},
+		Key:         role.Key,
+		DisplayName: role.DisplayName,
+		Group:       role.Group,
+	}
+}
+
+func projectRoleChangeToModel(role *management.ProjectRoleChange) *proj_model.ProjectRole {
+	return &proj_model.ProjectRole{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: role.Id,
+		},
+		Key:         role.Key,
+		DisplayName: role.DisplayName,
+		Group:       role.Group,
+	}
+}
+
+func projectSearchRequestsToModel(project *management.ProjectSearchRequest) *proj_model.ProjectViewSearchRequest {
+	return &proj_model.ProjectViewSearchRequest{
+		Offset:  project.Offset,
+		Limit:   project.Limit,
+		Queries: projectSearchQueriesToModel(project.Queries),
+	}
+}
+func grantedProjectSearchRequestsToModel(request *management.GrantedProjectSearchRequest) *proj_model.ProjectGrantViewSearchRequest {
+	return &proj_model.ProjectGrantViewSearchRequest{
+		Offset:  request.Offset,
+		Limit:   request.Limit,
+		Queries: grantedPRojectSearchQueriesToModel(request.Queries),
+	}
+}
+
+func projectSearchQueriesToModel(queries []*management.ProjectSearchQuery) []*proj_model.ProjectViewSearchQuery {
+	converted := make([]*proj_model.ProjectViewSearchQuery, len(queries))
+	for i, q := range queries {
+		converted[i] = projectSearchQueryToModel(q)
+	}
+	return converted
+}
+
+func projectSearchQueryToModel(query *management.ProjectSearchQuery) *proj_model.ProjectViewSearchQuery {
+	return &proj_model.ProjectViewSearchQuery{
+		Key:    projectSearchKeyToModel(query.Key),
+		Method: searchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func projectSearchKeyToModel(key management.ProjectSearchKey) proj_model.ProjectViewSearchKey {
+	switch key {
+	case management.ProjectSearchKey_PROJECTSEARCHKEY_PROJECT_NAME:
+		return proj_model.ProjectViewSearchKeyName
+	default:
+		return proj_model.ProjectViewSearchKeyUnspecified
+	}
+}
+
+func grantedPRojectSearchQueriesToModel(queries []*management.ProjectSearchQuery) []*proj_model.ProjectGrantViewSearchQuery {
+	converted := make([]*proj_model.ProjectGrantViewSearchQuery, len(queries))
+	for i, q := range queries {
+		converted[i] = grantedProjectSearchQueryToModel(q)
+	}
+	return converted
+}
+
+func grantedProjectSearchQueryToModel(query *management.ProjectSearchQuery) *proj_model.ProjectGrantViewSearchQuery {
+	return &proj_model.ProjectGrantViewSearchQuery{
+		Key:    projectGrantSearchKeyToModel(query.Key),
+		Method: searchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func projectGrantSearchKeyToModel(key management.ProjectSearchKey) proj_model.ProjectGrantViewSearchKey {
+	switch key {
+	case management.ProjectSearchKey_PROJECTSEARCHKEY_PROJECT_NAME:
+		return proj_model.GrantedProjectSearchKeyName
+	default:
+		return proj_model.GrantedProjectSearchKeyUnspecified
+	}
+}
+
+func projectRoleSearchRequestsToModel(role *management.ProjectRoleSearchRequest) *proj_model.ProjectRoleSearchRequest {
+	return &proj_model.ProjectRoleSearchRequest{
+		Offset:  role.Offset,
+		Limit:   role.Limit,
+		Queries: projectRoleSearchQueriesToModel(role.Queries),
+	}
+}
+
+func projectRoleSearchQueriesToModel(queries []*management.ProjectRoleSearchQuery) []*proj_model.ProjectRoleSearchQuery {
+	converted := make([]*proj_model.ProjectRoleSearchQuery, len(queries))
+	for i, q := range queries {
+		converted[i] = projectRoleSearchQueryToModel(q)
+	}
+	return converted
+}
+
+func projectRoleSearchQueryToModel(query *management.ProjectRoleSearchQuery) *proj_model.ProjectRoleSearchQuery {
+	return &proj_model.ProjectRoleSearchQuery{
+		Key:    projectRoleSearchKeyToModel(query.Key),
+		Method: searchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func projectRoleSearchKeyToModel(key management.ProjectRoleSearchKey) proj_model.ProjectRoleSearchKey {
+	switch key {
+	case management.ProjectRoleSearchKey_PROJECTROLESEARCHKEY_KEY:
+		return proj_model.ProjectRoleSearchKeyKey
+	case management.ProjectRoleSearchKey_PROJECTROLESEARCHKEY_DISPLAY_NAME:
+		return proj_model.ProjectRoleSearchKeyDisplayName
+	default:
+		return proj_model.ProjectRoleSearchKeyUnspecified
+	}
+}
+
+func projectChangesToResponse(response *proj_model.ProjectChanges, offset uint64, limit uint64) (_ *management.Changes) {
+	return &management.Changes{
+		Limit:   limit,
+		Offset:  offset,
+		Changes: projectChangesToMgtAPI(response),
+	}
+}
+
+func projectChangesToMgtAPI(changes *proj_model.ProjectChanges) (_ []*management.Change) {
+	result := make([]*management.Change, len(changes.Changes))
+
+	for i, change := range changes.Changes {
+		b, err := json.Marshal(change.Data)
+		data := &structpb.Struct{}
+		err = protojson.Unmarshal(b, data)
+		if err != nil {
+		}
+		result[i] = &management.Change{
+			ChangeDate: change.ChangeDate,
+			EventType:  message.NewLocalizedEventType(change.EventType),
+			Sequence:   change.Sequence,
+			Editor:     change.ModifierName,
+			EditorId:   change.ModifierId,
+			Data:       data,
+		}
+	}
+
+	return result
+}

internal/api/grpc/management/project_grant.go

@@ -0,0 +1,66 @@
+package management
+
+import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
+
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) SearchProjectGrants(ctx context.Context, in *management.ProjectGrantSearchRequest) (*management.ProjectGrantSearchResponse, error) {
+	request := projectGrantSearchRequestsToModel(in)
+	orgID := grpc_util.GetHeader(ctx, http.ZitadelOrgID)
+	request.AppendMyResourceOwnerQuery(orgID)
+	request.AppendNotMyOrgQuery(orgID)
+	response, err := s.project.SearchProjectGrants(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+	return projectGrantSearchResponseFromModel(response), nil
+}
+
+func (s *Server) ProjectGrantByID(ctx context.Context, in *management.ProjectGrantID) (*management.ProjectGrantView, error) {
+	grant, err := s.project.ProjectGrantByID(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return projectGrantFromGrantedProjectModel(grant), nil
+}
+
+func (s *Server) CreateProjectGrant(ctx context.Context, in *management.ProjectGrantCreate) (*management.ProjectGrant, error) {
+	grant, err := s.project.AddProjectGrant(ctx, projectGrantCreateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return projectGrantFromModel(grant), nil
+}
+func (s *Server) UpdateProjectGrant(ctx context.Context, in *management.ProjectGrantUpdate) (*management.ProjectGrant, error) {
+	grant, err := s.project.ChangeProjectGrant(ctx, projectGrantUpdateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return projectGrantFromModel(grant), nil
+}
+func (s *Server) DeactivateProjectGrant(ctx context.Context, in *management.ProjectGrantID) (*management.ProjectGrant, error) {
+	grant, err := s.project.DeactivateProjectGrant(ctx, in.ProjectId, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return projectGrantFromModel(grant), nil
+}
+
+func (s *Server) ReactivateProjectGrant(ctx context.Context, in *management.ProjectGrantID) (*management.ProjectGrant, error) {
+	grant, err := s.project.ReactivateProjectGrant(ctx, in.ProjectId, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return projectGrantFromModel(grant), nil
+}
+
+func (s *Server) RemoveProjectGrant(ctx context.Context, in *management.ProjectGrantID) (*empty.Empty, error) {
+	err := s.project.RemoveProjectGrant(ctx, in.ProjectId, in.Id)
+	return &empty.Empty{}, err
+}

internal/api/grpc/management/project_grant_converter.go

@@ -0,0 +1,153 @@
+package management
+
+import (
+	"github.com/caos/logging"
+
+	"github.com/golang/protobuf/ptypes"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/model"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func projectGrantFromModel(grant *proj_model.ProjectGrant) *management.ProjectGrant {
+	creationDate, err := ptypes.TimestampProto(grant.CreationDate)
+	logging.Log("GRPC-8d73s").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(grant.ChangeDate)
+	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.ProjectGrant{
+		Id:           grant.GrantID,
+		State:        projectGrantStateFromModel(grant.State),
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		GrantedOrgId: grant.GrantedOrgID,
+		RoleKeys:     grant.RoleKeys,
+		Sequence:     grant.Sequence,
+		ProjectId:    grant.AggregateID,
+	}
+}
+
+func projectGrantCreateToModel(grant *management.ProjectGrantCreate) *proj_model.ProjectGrant {
+	return &proj_model.ProjectGrant{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: grant.ProjectId,
+		},
+		GrantedOrgID: grant.GrantedOrgId,
+		RoleKeys:     grant.RoleKeys,
+	}
+}
+
+func projectGrantUpdateToModel(grant *management.ProjectGrantUpdate) *proj_model.ProjectGrant {
+	return &proj_model.ProjectGrant{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: grant.ProjectId,
+		},
+		GrantID:  grant.Id,
+		RoleKeys: grant.RoleKeys,
+	}
+}
+
+func projectGrantSearchRequestsToModel(request *management.ProjectGrantSearchRequest) *proj_model.ProjectGrantViewSearchRequest {
+	return &proj_model.ProjectGrantViewSearchRequest{
+		Offset:  request.Offset,
+		Limit:   request.Limit,
+		Queries: projectGrantSearchQueriesToModel(request.ProjectId, request.Queries),
+	}
+}
+
+func projectGrantSearchQueriesToModel(projectId string, queries []*management.ProjectGrantSearchQuery) []*proj_model.ProjectGrantViewSearchQuery {
+	converted := make([]*proj_model.ProjectGrantViewSearchQuery, 0)
+	converted = append(converted, &proj_model.ProjectGrantViewSearchQuery{
+		Key:    proj_model.GrantedProjectSearchKeyProjectID,
+		Method: model.SearchMethodEquals,
+		Value:  projectId,
+	})
+	for i, query := range queries {
+		converted[i] = projectGrantSearchQueryToModel(query)
+	}
+	return converted
+}
+
+func projectGrantSearchQueryToModel(query *management.ProjectGrantSearchQuery) *proj_model.ProjectGrantViewSearchQuery {
+	return &proj_model.ProjectGrantViewSearchQuery{
+		Key:    projectGrantViewSearchKeyToModel(query.Key),
+		Method: searchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func projectGrantViewSearchKeyToModel(key management.ProjectGrantSearchKey) proj_model.ProjectGrantViewSearchKey {
+	switch key {
+	case management.ProjectGrantSearchKey_PROJECTGRANTSEARCHKEY_PROJECT_NAME:
+		return proj_model.GrantedProjectSearchKeyProjectID
+	case management.ProjectGrantSearchKey_PROJECTGRANTSEARCHKEY_ROLE_KEY:
+		return proj_model.GrantedProjectSearchKeyRoleKeys
+	default:
+		return proj_model.GrantedProjectSearchKeyUnspecified
+	}
+}
+
+func projectGrantSearchResponseFromModel(response *proj_model.ProjectGrantViewSearchResponse) *management.ProjectGrantSearchResponse {
+	return &management.ProjectGrantSearchResponse{
+		Offset:      response.Offset,
+		Limit:       response.Limit,
+		TotalResult: response.TotalResult,
+		Result:      projectGrantsFromGrantedProjectModel(response.Result),
+	}
+}
+
+func projectGrantsFromGrantedProjectModel(projects []*proj_model.ProjectGrantView) []*management.ProjectGrantView {
+	converted := make([]*management.ProjectGrantView, len(projects))
+	for i, project := range projects {
+		converted[i] = projectGrantFromGrantedProjectModel(project)
+	}
+	return converted
+}
+
+func projectGrantFromGrantedProjectModel(project *proj_model.ProjectGrantView) *management.ProjectGrantView {
+	creationDate, err := ptypes.TimestampProto(project.CreationDate)
+	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(project.ChangeDate)
+	logging.Log("GRPC-sope3").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.ProjectGrantView{
+		ProjectId:         project.ProjectID,
+		State:             projectGrantStateFromProjectStateModel(project.State),
+		CreationDate:      creationDate,
+		ChangeDate:        changeDate,
+		ProjectName:       project.Name,
+		Sequence:          project.Sequence,
+		GrantedOrgId:      project.OrgID,
+		GrantedOrgName:    project.OrgName,
+		Id:                project.GrantID,
+		RoleKeys:          project.GrantedRoleKeys,
+		ResourceOwner:     project.ResourceOwner,
+		ResourceOwnerName: project.ResourceOwnerName,
+	}
+}
+
+func projectGrantStateFromModel(state proj_model.ProjectGrantState) management.ProjectGrantState {
+	switch state {
+	case proj_model.ProjectGrantStateActive:
+		return management.ProjectGrantState_PROJECTGRANTSTATE_ACTIVE
+	case proj_model.ProjectGrantStateInactive:
+		return management.ProjectGrantState_PROJECTGRANTSTATE_INACTIVE
+	default:
+		return management.ProjectGrantState_PROJECTGRANTSTATE_UNSPECIFIED
+	}
+}
+
+func projectGrantStateFromProjectStateModel(state proj_model.ProjectState) management.ProjectGrantState {
+	switch state {
+	case proj_model.ProjectStateActive:
+		return management.ProjectGrantState_PROJECTGRANTSTATE_ACTIVE
+	case proj_model.ProjectStateInactive:
+		return management.ProjectGrantState_PROJECTGRANTSTATE_INACTIVE
+	default:
+		return management.ProjectGrantState_PROJECTGRANTSTATE_UNSPECIFIED
+	}
+}

internal/api/grpc/management/project_grant_member.go

@@ -0,0 +1,42 @@
+package management
+
+import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetProjectGrantMemberRoles(ctx context.Context, _ *empty.Empty) (*management.ProjectGrantMemberRoles, error) {
+	return &management.ProjectGrantMemberRoles{Roles: s.project.GetProjectGrantMemberRoles()}, nil
+}
+
+func (s *Server) SearchProjectGrantMembers(ctx context.Context, in *management.ProjectGrantMemberSearchRequest) (*management.ProjectGrantMemberSearchResponse, error) {
+	response, err := s.project.SearchProjectGrantMembers(ctx, projectGrantMemberSearchRequestsToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return projectGrantMemberSearchResponseFromModel(response), nil
+}
+
+func (s *Server) AddProjectGrantMember(ctx context.Context, in *management.ProjectGrantMemberAdd) (*management.ProjectGrantMember, error) {
+	member, err := s.project.AddProjectGrantMember(ctx, projectGrantMemberAddToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return projectGrantMemberFromModel(member), nil
+}
+
+func (s *Server) ChangeProjectGrantMember(ctx context.Context, in *management.ProjectGrantMemberChange) (*management.ProjectGrantMember, error) {
+	member, err := s.project.ChangeProjectGrantMember(ctx, projectGrantMemberChangeToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return projectGrantMemberFromModel(member), nil
+}
+
+func (s *Server) RemoveProjectGrantMember(ctx context.Context, in *management.ProjectGrantMemberRemove) (*empty.Empty, error) {
+	err := s.project.RemoveProjectGrantMember(ctx, in.ProjectId, in.GrantId, in.UserId)
+	return &empty.Empty{}, err
+}

internal/api/grpc/management/project_grant_member_converter.go

@@ -0,0 +1,124 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func projectGrantMemberFromModel(member *proj_model.ProjectGrantMember) *management.ProjectGrantMember {
+	creationDate, err := ptypes.TimestampProto(member.CreationDate)
+	logging.Log("GRPC-7du3s").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
+	logging.Log("GRPC-8duew").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.ProjectGrantMember{
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Sequence:     member.Sequence,
+		UserId:       member.UserID,
+		Roles:        member.Roles,
+	}
+}
+
+func projectGrantMemberAddToModel(member *management.ProjectGrantMemberAdd) *proj_model.ProjectGrantMember {
+	return &proj_model.ProjectGrantMember{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: member.ProjectId,
+		},
+		GrantID: member.GrantId,
+		UserID:  member.UserId,
+		Roles:   member.Roles,
+	}
+}
+
+func projectGrantMemberChangeToModel(member *management.ProjectGrantMemberChange) *proj_model.ProjectGrantMember {
+	return &proj_model.ProjectGrantMember{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: member.ProjectId,
+		},
+		GrantID: member.GrantId,
+		UserID:  member.UserId,
+		Roles:   member.Roles,
+	}
+}
+
+func projectGrantMemberSearchRequestsToModel(role *management.ProjectGrantMemberSearchRequest) *proj_model.ProjectGrantMemberSearchRequest {
+	return &proj_model.ProjectGrantMemberSearchRequest{
+		Offset:  role.Offset,
+		Limit:   role.Limit,
+		Queries: projectGrantMemberSearchQueriesToModel(role.Queries),
+	}
+}
+
+func projectGrantMemberSearchQueriesToModel(queries []*management.ProjectGrantMemberSearchQuery) []*proj_model.ProjectGrantMemberSearchQuery {
+	converted := make([]*proj_model.ProjectGrantMemberSearchQuery, len(queries))
+	for i, q := range queries {
+		converted[i] = projectGrantMemberSearchQueryToModel(q)
+	}
+	return converted
+}
+
+func projectGrantMemberSearchQueryToModel(query *management.ProjectGrantMemberSearchQuery) *proj_model.ProjectGrantMemberSearchQuery {
+	return &proj_model.ProjectGrantMemberSearchQuery{
+		Key:    projectGrantMemberSearchKeyToModel(query.Key),
+		Method: searchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func projectGrantMemberSearchKeyToModel(key management.ProjectGrantMemberSearchKey) proj_model.ProjectGrantMemberSearchKey {
+	switch key {
+	case management.ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_EMAIL:
+		return proj_model.ProjectGrantMemberSearchKeyEmail
+	case management.ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_FIRST_NAME:
+		return proj_model.ProjectGrantMemberSearchKeyFirstName
+	case management.ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_LAST_NAME:
+		return proj_model.ProjectGrantMemberSearchKeyLastName
+	case management.ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_USER_NAME:
+		return proj_model.ProjectGrantMemberSearchKeyUserName
+	default:
+		return proj_model.ProjectGrantMemberSearchKeyUnspecified
+	}
+}
+
+func projectGrantMemberSearchResponseFromModel(response *proj_model.ProjectGrantMemberSearchResponse) *management.ProjectGrantMemberSearchResponse {
+	return &management.ProjectGrantMemberSearchResponse{
+		Offset:      response.Offset,
+		Limit:       response.Limit,
+		TotalResult: response.TotalResult,
+		Result:      projectGrantMemberViewsFromModel(response.Result),
+	}
+}
+
+func projectGrantMemberViewsFromModel(roles []*proj_model.ProjectGrantMemberView) []*management.ProjectGrantMemberView {
+	converted := make([]*management.ProjectGrantMemberView, len(roles))
+	for i, role := range roles {
+		converted[i] = projectGrantMemberViewFromModel(role)
+	}
+	return converted
+}
+
+func projectGrantMemberViewFromModel(member *proj_model.ProjectGrantMemberView) *management.ProjectGrantMemberView {
+	creationDate, err := ptypes.TimestampProto(member.CreationDate)
+	logging.Log("GRPC-los93").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
+	logging.Log("GRPC-ski4e").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.ProjectGrantMemberView{
+		UserId:       member.UserID,
+		UserName:     member.UserName,
+		Email:        member.Email,
+		FirstName:    member.FirstName,
+		LastName:     member.LastName,
+		Roles:        member.Roles,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Sequence:     member.Sequence,
+	}
+}

internal/api/grpc/management/project_member.go

@@ -0,0 +1,44 @@
+package management
+
+import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetProjectMemberRoles(ctx context.Context, _ *empty.Empty) (*management.ProjectMemberRoles, error) {
+	return &management.ProjectMemberRoles{Roles: s.project.GetProjectMemberRoles()}, nil
+}
+
+func (s *Server) SearchProjectMembers(ctx context.Context, in *management.ProjectMemberSearchRequest) (*management.ProjectMemberSearchResponse, error) {
+	request := projectMemberSearchRequestsToModel(in)
+	request.AppendProjectQuery(in.ProjectId)
+	response, err := s.project.SearchProjectMembers(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+	return projectMemberSearchResponseFromModel(response), nil
+}
+
+func (s *Server) AddProjectMember(ctx context.Context, in *management.ProjectMemberAdd) (*management.ProjectMember, error) {
+	member, err := s.project.AddProjectMember(ctx, projectMemberAddToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return projectMemberFromModel(member), nil
+}
+
+func (s *Server) ChangeProjectMember(ctx context.Context, in *management.ProjectMemberChange) (*management.ProjectMember, error) {
+	member, err := s.project.ChangeProjectMember(ctx, projectMemberChangeToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return projectMemberFromModel(member), nil
+}
+
+func (s *Server) RemoveProjectMember(ctx context.Context, in *management.ProjectMemberRemove) (*empty.Empty, error) {
+	err := s.project.RemoveProjectMember(ctx, in.Id, in.UserId)
+	return &empty.Empty{}, err
+}

internal/api/grpc/management/project_member_converter.go

@@ -0,0 +1,122 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func projectMemberFromModel(member *proj_model.ProjectMember) *management.ProjectMember {
+	creationDate, err := ptypes.TimestampProto(member.CreationDate)
+	logging.Log("GRPC-kd8re").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
+	logging.Log("GRPC-dlei3").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.ProjectMember{
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Sequence:     member.Sequence,
+		UserId:       member.UserID,
+		Roles:        member.Roles,
+	}
+}
+
+func projectMemberAddToModel(member *management.ProjectMemberAdd) *proj_model.ProjectMember {
+	return &proj_model.ProjectMember{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: member.Id,
+		},
+		UserID: member.UserId,
+		Roles:  member.Roles,
+	}
+}
+
+func projectMemberChangeToModel(member *management.ProjectMemberChange) *proj_model.ProjectMember {
+	return &proj_model.ProjectMember{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: member.Id,
+		},
+		UserID: member.UserId,
+		Roles:  member.Roles,
+	}
+}
+
+func projectMemberSearchRequestsToModel(role *management.ProjectMemberSearchRequest) *proj_model.ProjectMemberSearchRequest {
+	return &proj_model.ProjectMemberSearchRequest{
+		Offset:  role.Offset,
+		Limit:   role.Limit,
+		Queries: projectMemberSearchQueriesToModel(role.Queries),
+	}
+}
+
+func projectMemberSearchQueriesToModel(queries []*management.ProjectMemberSearchQuery) []*proj_model.ProjectMemberSearchQuery {
+	converted := make([]*proj_model.ProjectMemberSearchQuery, len(queries))
+	for i, q := range queries {
+		converted[i] = projectMemberSearchQueryToModel(q)
+	}
+	return converted
+}
+
+func projectMemberSearchQueryToModel(query *management.ProjectMemberSearchQuery) *proj_model.ProjectMemberSearchQuery {
+	return &proj_model.ProjectMemberSearchQuery{
+		Key:    projectMemberSearchKeyToModel(query.Key),
+		Method: searchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func projectMemberSearchKeyToModel(key management.ProjectMemberSearchKey) proj_model.ProjectMemberSearchKey {
+	switch key {
+	case management.ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_EMAIL:
+		return proj_model.ProjectMemberSearchKeyEmail
+	case management.ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_FIRST_NAME:
+		return proj_model.ProjectMemberSearchKeyFirstName
+	case management.ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_LAST_NAME:
+		return proj_model.ProjectMemberSearchKeyLastName
+	case management.ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_USER_NAME:
+		return proj_model.ProjectMemberSearchKeyUserName
+	default:
+		return proj_model.ProjectMemberSearchKeyUnspecified
+	}
+}
+
+func projectMemberSearchResponseFromModel(response *proj_model.ProjectMemberSearchResponse) *management.ProjectMemberSearchResponse {
+	return &management.ProjectMemberSearchResponse{
+		Offset:      response.Offset,
+		Limit:       response.Limit,
+		TotalResult: response.TotalResult,
+		Result:      projectMemberViewsFromModel(response.Result),
+	}
+}
+
+func projectMemberViewsFromModel(members []*proj_model.ProjectMemberView) []*management.ProjectMemberView {
+	converted := make([]*management.ProjectMemberView, len(members))
+	for i, member := range members {
+		converted[i] = projectMemberViewFromModel(member)
+	}
+	return converted
+}
+
+func projectMemberViewFromModel(member *proj_model.ProjectMemberView) *management.ProjectMemberView {
+	creationDate, err := ptypes.TimestampProto(member.CreationDate)
+	logging.Log("GRPC-sl9cs").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
+	logging.Log("GRPC-8iw2d").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.ProjectMemberView{
+		UserId:       member.UserID,
+		UserName:     member.UserName,
+		Email:        member.Email,
+		FirstName:    member.FirstName,
+		LastName:     member.LastName,
+		Roles:        member.Roles,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Sequence:     member.Sequence,
+	}
+}

internal/api/grpc/management/search_converter.go

@@ -0,0 +1,31 @@
+package management
+
+import (
+	"github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func searchMethodToModel(method management.SearchMethod) model.SearchMethod {
+	switch method {
+	case management.SearchMethod_SEARCHMETHOD_EQUALS:
+		return model.SearchMethodEquals
+	case management.SearchMethod_SEARCHMETHOD_CONTAINS:
+		return model.SearchMethodContains
+	case management.SearchMethod_SEARCHMETHOD_STARTS_WITH:
+		return model.SearchMethodStartsWith
+	case management.SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
+		return model.SearchMethodEqualsIgnoreCase
+	case management.SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
+		return model.SearchMethodContainsIgnoreCase
+	case management.SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
+		return model.SearchMethodStartsWithIgnoreCase
+	case management.SearchMethod_SEARCHMETHOD_NOT_EQUALS:
+		return model.SearchMethodNotEquals
+	case management.SearchMethod_SEARCHMETHOD_IS_ONE_OF:
+		return model.SearchMethodIsOneOf
+	case management.SearchMethod_SEARCHMETHOD_LIST_CONTAINS:
+		return model.SearchMethodListContains
+	default:
+		return model.SearchMethodEquals
+	}
+}

internal/api/grpc/management/server.go

@@ -0,0 +1,69 @@
+package management
+
+import (
+	"google.golang.org/grpc"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/management/repository"
+	"github.com/caos/zitadel/internal/management/repository/eventsourcing"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+const (
+	mgmtName = "Management-API"
+)
+
+var _ management.ManagementServiceServer = (*Server)(nil)
+
+type Server struct {
+	project        repository.ProjectRepository
+	policy         repository.PolicyRepository
+	org            repository.OrgRepository
+	user           repository.UserRepository
+	usergrant      repository.UserGrantRepository
+	iam            repository.IamRepository
+	authZ          authz.Config
+	systemDefaults systemdefaults.SystemDefaults
+}
+
+type Config struct {
+	Repository eventsourcing.Config
+}
+
+func CreateServer(repo repository.Repository, sd systemdefaults.SystemDefaults) *Server {
+	return &Server{
+		project:        repo,
+		policy:         repo,
+		org:            repo,
+		user:           repo,
+		usergrant:      repo,
+		iam:            repo,
+		systemDefaults: sd,
+	}
+}
+
+func (s *Server) RegisterServer(grpcServer *grpc.Server) {
+	management.RegisterManagementServiceServer(grpcServer, s)
+}
+
+func (s *Server) AppName() string {
+	return mgmtName
+}
+
+func (s *Server) MethodPrefix() string {
+	return management.ManagementService_MethodPrefix
+}
+
+func (s *Server) AuthMethods() authz.MethodMapping {
+	return management.ManagementService_AuthMethods
+}
+
+func (s *Server) RegisterGateway() server.GatewayFunc {
+	return management.RegisterManagementServiceHandlerFromEndpoint
+}
+
+func (s *Server) GatewayPathPrefix() string {
+	return "/mgmt/v1"
+}

internal/api/grpc/management/user.go

@@ -0,0 +1,196 @@
+package management
+
+import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
+
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetUserByID(ctx context.Context, id *management.UserID) (*management.UserView, error) {
+	user, err := s.user.UserByID(ctx, id.Id)
+	if err != nil {
+		return nil, err
+	}
+	return userViewFromModel(user), nil
+}
+
+func (s *Server) GetUserByEmailGlobal(ctx context.Context, email *management.Email) (*management.UserView, error) {
+	user, err := s.user.GetGlobalUserByEmail(ctx, email.Email)
+	if err != nil {
+		return nil, err
+	}
+	return userViewFromModel(user), nil
+}
+
+func (s *Server) SearchUsers(ctx context.Context, in *management.UserSearchRequest) (*management.UserSearchResponse, error) {
+	request := userSearchRequestsToModel(in)
+	orgID := grpc_util.GetHeader(ctx, http.ZitadelOrgID)
+	request.AppendMyOrgQuery(orgID)
+	response, err := s.user.SearchUsers(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+	return userSearchResponseFromModel(response), nil
+}
+
+func (s *Server) UserChanges(ctx context.Context, changesRequest *management.ChangeRequest) (*management.Changes, error) {
+	response, err := s.user.UserChanges(ctx, changesRequest.Id, changesRequest.SequenceOffset, changesRequest.Limit, changesRequest.Asc)
+	if err != nil {
+		return nil, err
+	}
+	return userChangesToResponse(response, changesRequest.GetSequenceOffset(), changesRequest.GetLimit()), nil
+}
+
+func (s *Server) IsUserUnique(ctx context.Context, request *management.UniqueUserRequest) (*management.UniqueUserResponse, error) {
+	unique, err := s.user.IsUserUnique(ctx, request.UserName, request.Email)
+	if err != nil {
+		return nil, err
+	}
+	return &management.UniqueUserResponse{IsUnique: unique}, nil
+}
+
+func (s *Server) CreateUser(ctx context.Context, in *management.CreateUserRequest) (*management.User, error) {
+	user, err := s.user.CreateUser(ctx, userCreateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return userFromModel(user), nil
+}
+
+func (s *Server) DeactivateUser(ctx context.Context, in *management.UserID) (*management.User, error) {
+	user, err := s.user.DeactivateUser(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return userFromModel(user), nil
+}
+
+func (s *Server) ReactivateUser(ctx context.Context, in *management.UserID) (*management.User, error) {
+	user, err := s.user.ReactivateUser(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return userFromModel(user), nil
+}
+
+func (s *Server) LockUser(ctx context.Context, in *management.UserID) (*management.User, error) {
+	user, err := s.user.LockUser(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return userFromModel(user), nil
+}
+
+func (s *Server) UnlockUser(ctx context.Context, in *management.UserID) (*management.User, error) {
+	user, err := s.user.UnlockUser(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return userFromModel(user), nil
+}
+
+func (s *Server) DeleteUser(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-as4fg", "Not implemented")
+}
+
+func (s *Server) GetUserProfile(ctx context.Context, in *management.UserID) (*management.UserProfileView, error) {
+	profile, err := s.user.ProfileByID(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return profileViewFromModel(profile), nil
+}
+
+func (s *Server) UpdateUserProfile(ctx context.Context, request *management.UpdateUserProfileRequest) (*management.UserProfile, error) {
+	profile, err := s.user.ChangeProfile(ctx, updateProfileToModel(request))
+	if err != nil {
+		return nil, err
+	}
+	return profileFromModel(profile), nil
+}
+
+func (s *Server) GetUserEmail(ctx context.Context, in *management.UserID) (*management.UserEmailView, error) {
+	email, err := s.user.EmailByID(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return emailViewFromModel(email), nil
+}
+
+func (s *Server) ChangeUserEmail(ctx context.Context, request *management.UpdateUserEmailRequest) (*management.UserEmail, error) {
+	email, err := s.user.ChangeEmail(ctx, updateEmailToModel(request))
+	if err != nil {
+		return nil, err
+	}
+	return emailFromModel(email), nil
+}
+
+func (s *Server) ResendEmailVerificationMail(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
+	err := s.user.CreateEmailVerificationCode(ctx, in.Id)
+	return &empty.Empty{}, err
+}
+
+func (s *Server) GetUserPhone(ctx context.Context, in *management.UserID) (*management.UserPhoneView, error) {
+	phone, err := s.user.PhoneByID(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return phoneViewFromModel(phone), nil
+}
+
+func (s *Server) ChangeUserPhone(ctx context.Context, request *management.UpdateUserPhoneRequest) (*management.UserPhone, error) {
+	phone, err := s.user.ChangePhone(ctx, updatePhoneToModel(request))
+	if err != nil {
+		return nil, err
+	}
+	return phoneFromModel(phone), nil
+}
+
+func (s *Server) RemoveUserPhone(ctx context.Context, userID *management.UserID) (*empty.Empty, error) {
+	err := s.user.RemovePhone(ctx, userID.Id)
+	return &empty.Empty{}, err
+}
+
+func (s *Server) ResendPhoneVerificationCode(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
+	err := s.user.CreatePhoneVerificationCode(ctx, in.Id)
+	return &empty.Empty{}, err
+}
+
+func (s *Server) GetUserAddress(ctx context.Context, in *management.UserID) (*management.UserAddressView, error) {
+	address, err := s.user.AddressByID(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return addressViewFromModel(address), nil
+}
+
+func (s *Server) UpdateUserAddress(ctx context.Context, request *management.UpdateUserAddressRequest) (*management.UserAddress, error) {
+	address, err := s.user.ChangeAddress(ctx, updateAddressToModel(request))
+	if err != nil {
+		return nil, err
+	}
+	return addressFromModel(address), nil
+}
+
+func (s *Server) SendSetPasswordNotification(ctx context.Context, request *management.SetPasswordNotificationRequest) (*empty.Empty, error) {
+	err := s.user.RequestSetPassword(ctx, request.Id, notifyTypeToModel(request.Type))
+	return &empty.Empty{}, err
+}
+
+func (s *Server) SetInitialPassword(ctx context.Context, request *management.PasswordRequest) (*empty.Empty, error) {
+	_, err := s.user.SetOneTimePassword(ctx, passwordRequestToModel(request))
+	return &empty.Empty{}, err
+}
+
+func (s *Server) GetUserMfas(ctx context.Context, userID *management.UserID) (*management.MultiFactors, error) {
+	mfas, err := s.user.UserMfas(ctx, userID.Id)
+	if err != nil {
+		return nil, err
+	}
+	return &management.MultiFactors{Mfas: mfasFromModel(mfas)}, nil
+}

internal/api/grpc/management/user_converter.go

@@ -0,0 +1,519 @@
+package management
+
+import (
+	"encoding/json"
+
+	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+	"golang.org/x/text/language"
+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	usr_model "github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/caos/zitadel/pkg/grpc/message"
+)
+
+func userFromModel(user *usr_model.User) *management.User {
+	creationDate, err := ptypes.TimestampProto(user.CreationDate)
+	logging.Log("GRPC-8duwe").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(user.ChangeDate)
+	logging.Log("GRPC-ckoe3d").OnError(err).Debug("unable to parse timestamp")
+
+	converted := &management.User{
+		Id:                user.AggregateID,
+		State:             userStateFromModel(user.State),
+		CreationDate:      creationDate,
+		ChangeDate:        changeDate,
+		Sequence:          user.Sequence,
+		UserName:          user.UserName,
+		FirstName:         user.FirstName,
+		LastName:          user.LastName,
+		DisplayName:       user.DisplayName,
+		NickName:          user.NickName,
+		PreferredLanguage: user.PreferredLanguage.String(),
+		Gender:            genderFromModel(user.Gender),
+	}
+	if user.Email != nil {
+		converted.Email = user.EmailAddress
+		converted.IsEmailVerified = user.IsEmailVerified
+	}
+	if user.Phone != nil {
+		converted.Phone = user.PhoneNumber
+		converted.IsPhoneVerified = user.IsPhoneVerified
+	}
+	if user.Address != nil {
+		converted.Country = user.Country
+		converted.Locality = user.Locality
+		converted.PostalCode = user.PostalCode
+		converted.Region = user.Region
+		converted.StreetAddress = user.StreetAddress
+	}
+	return converted
+}
+
+func userCreateToModel(u *management.CreateUserRequest) *usr_model.User {
+	preferredLanguage, err := language.Parse(u.PreferredLanguage)
+	logging.Log("GRPC-cK5k2").OnError(err).Debug("language malformed")
+
+	user := &usr_model.User{
+		Profile: &usr_model.Profile{
+			UserName:          u.UserName,
+			FirstName:         u.FirstName,
+			LastName:          u.LastName,
+			NickName:          u.NickName,
+			PreferredLanguage: preferredLanguage,
+			Gender:            genderToModel(u.Gender),
+		},
+		Email: &usr_model.Email{
+			EmailAddress:    u.Email,
+			IsEmailVerified: u.IsEmailVerified,
+		},
+		Address: &usr_model.Address{
+			Country:       u.Country,
+			Locality:      u.Locality,
+			PostalCode:    u.PostalCode,
+			Region:        u.Region,
+			StreetAddress: u.StreetAddress,
+		},
+	}
+	if u.Password != "" {
+		user.Password = &usr_model.Password{SecretString: u.Password}
+	}
+	if u.Phone != "" {
+		user.Phone = &usr_model.Phone{PhoneNumber: u.Phone, IsPhoneVerified: u.IsPhoneVerified}
+	}
+	return user
+}
+
+func passwordRequestToModel(r *management.PasswordRequest) *usr_model.Password {
+	return &usr_model.Password{
+		ObjectRoot:   models.ObjectRoot{AggregateID: r.Id},
+		SecretString: r.Password,
+	}
+}
+
+func userSearchRequestsToModel(project *management.UserSearchRequest) *usr_model.UserSearchRequest {
+	return &usr_model.UserSearchRequest{
+		Offset:  project.Offset,
+		Limit:   project.Limit,
+		Queries: userSearchQueriesToModel(project.Queries),
+	}
+}
+
+func userSearchQueriesToModel(queries []*management.UserSearchQuery) []*usr_model.UserSearchQuery {
+	converted := make([]*usr_model.UserSearchQuery, len(queries))
+	for i, q := range queries {
+		converted[i] = userSearchQueryToModel(q)
+	}
+	return converted
+}
+
+func userSearchQueryToModel(query *management.UserSearchQuery) *usr_model.UserSearchQuery {
+	return &usr_model.UserSearchQuery{
+		Key:    userSearchKeyToModel(query.Key),
+		Method: searchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func userSearchKeyToModel(key management.UserSearchKey) usr_model.UserSearchKey {
+	switch key {
+	case management.UserSearchKey_USERSEARCHKEY_USER_NAME:
+		return usr_model.UserSearchKeyUserName
+	case management.UserSearchKey_USERSEARCHKEY_FIRST_NAME:
+		return usr_model.UserSearchKeyFirstName
+	case management.UserSearchKey_USERSEARCHKEY_LAST_NAME:
+		return usr_model.UserSearchKeyLastName
+	case management.UserSearchKey_USERSEARCHKEY_NICK_NAME:
+		return usr_model.UserSearchKeyNickName
+	case management.UserSearchKey_USERSEARCHKEY_DISPLAY_NAME:
+		return usr_model.UserSearchKeyDisplayName
+	case management.UserSearchKey_USERSEARCHKEY_EMAIL:
+		return usr_model.UserSearchKeyEmail
+	case management.UserSearchKey_USERSEARCHKEY_STATE:
+		return usr_model.UserSearchKeyState
+	default:
+		return usr_model.UserSearchKeyUnspecified
+	}
+}
+
+func profileFromModel(profile *usr_model.Profile) *management.UserProfile {
+	creationDate, err := ptypes.TimestampProto(profile.CreationDate)
+	logging.Log("GRPC-dkso3").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(profile.ChangeDate)
+	logging.Log("GRPC-ski8d").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.UserProfile{
+		Id:                profile.AggregateID,
+		CreationDate:      creationDate,
+		ChangeDate:        changeDate,
+		Sequence:          profile.Sequence,
+		UserName:          profile.UserName,
+		FirstName:         profile.FirstName,
+		LastName:          profile.LastName,
+		DisplayName:       profile.DisplayName,
+		NickName:          profile.NickName,
+		PreferredLanguage: profile.PreferredLanguage.String(),
+		Gender:            genderFromModel(profile.Gender),
+	}
+}
+
+func profileViewFromModel(profile *usr_model.Profile) *management.UserProfileView {
+	creationDate, err := ptypes.TimestampProto(profile.CreationDate)
+	logging.Log("GRPC-sk8sk").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(profile.ChangeDate)
+	logging.Log("GRPC-s30Ks'").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.UserProfileView{
+		Id:                 profile.AggregateID,
+		CreationDate:       creationDate,
+		ChangeDate:         changeDate,
+		Sequence:           profile.Sequence,
+		UserName:           profile.UserName,
+		FirstName:          profile.FirstName,
+		LastName:           profile.LastName,
+		DisplayName:        profile.DisplayName,
+		NickName:           profile.NickName,
+		PreferredLanguage:  profile.PreferredLanguage.String(),
+		Gender:             genderFromModel(profile.Gender),
+		LoginNames:         profile.LoginNames,
+		PreferredLoginName: profile.PreferredLoginName,
+	}
+}
+
+func updateProfileToModel(u *management.UpdateUserProfileRequest) *usr_model.Profile {
+	preferredLanguage, err := language.Parse(u.PreferredLanguage)
+	logging.Log("GRPC-d8k2s").OnError(err).Debug("language malformed")
+
+	return &usr_model.Profile{
+		ObjectRoot:        models.ObjectRoot{AggregateID: u.Id},
+		FirstName:         u.FirstName,
+		LastName:          u.LastName,
+		NickName:          u.NickName,
+		PreferredLanguage: preferredLanguage,
+		Gender:            genderToModel(u.Gender),
+	}
+}
+
+func emailFromModel(email *usr_model.Email) *management.UserEmail {
+	creationDate, err := ptypes.TimestampProto(email.CreationDate)
+	logging.Log("GRPC-d9ow2").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(email.ChangeDate)
+	logging.Log("GRPC-s0dkw").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.UserEmail{
+		Id:              email.AggregateID,
+		CreationDate:    creationDate,
+		ChangeDate:      changeDate,
+		Sequence:        email.Sequence,
+		Email:           email.EmailAddress,
+		IsEmailVerified: email.IsEmailVerified,
+	}
+}
+
+func emailViewFromModel(email *usr_model.Email) *management.UserEmailView {
+	creationDate, err := ptypes.TimestampProto(email.CreationDate)
+	logging.Log("GRPC-sKefs").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(email.ChangeDate)
+	logging.Log("GRPC-0isjD").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.UserEmailView{
+		Id:              email.AggregateID,
+		CreationDate:    creationDate,
+		ChangeDate:      changeDate,
+		Sequence:        email.Sequence,
+		Email:           email.EmailAddress,
+		IsEmailVerified: email.IsEmailVerified,
+	}
+}
+
+func updateEmailToModel(e *management.UpdateUserEmailRequest) *usr_model.Email {
+	return &usr_model.Email{
+		ObjectRoot:      models.ObjectRoot{AggregateID: e.Id},
+		EmailAddress:    e.Email,
+		IsEmailVerified: e.IsEmailVerified,
+	}
+}
+
+func phoneFromModel(phone *usr_model.Phone) *management.UserPhone {
+	creationDate, err := ptypes.TimestampProto(phone.CreationDate)
+	logging.Log("GRPC-ps9ws").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(phone.ChangeDate)
+	logging.Log("GRPC-09ewq").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.UserPhone{
+		Id:              phone.AggregateID,
+		CreationDate:    creationDate,
+		ChangeDate:      changeDate,
+		Sequence:        phone.Sequence,
+		Phone:           phone.PhoneNumber,
+		IsPhoneVerified: phone.IsPhoneVerified,
+	}
+}
+
+func phoneViewFromModel(phone *usr_model.Phone) *management.UserPhoneView {
+	creationDate, err := ptypes.TimestampProto(phone.CreationDate)
+	logging.Log("GRPC-6gSj").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(phone.ChangeDate)
+	logging.Log("GRPC-lKs8f").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.UserPhoneView{
+		Id:              phone.AggregateID,
+		CreationDate:    creationDate,
+		ChangeDate:      changeDate,
+		Sequence:        phone.Sequence,
+		Phone:           phone.PhoneNumber,
+		IsPhoneVerified: phone.IsPhoneVerified,
+	}
+}
+func updatePhoneToModel(e *management.UpdateUserPhoneRequest) *usr_model.Phone {
+	return &usr_model.Phone{
+		ObjectRoot:      models.ObjectRoot{AggregateID: e.Id},
+		PhoneNumber:     e.Phone,
+		IsPhoneVerified: e.IsPhoneVerified,
+	}
+}
+
+func addressFromModel(address *usr_model.Address) *management.UserAddress {
+	creationDate, err := ptypes.TimestampProto(address.CreationDate)
+	logging.Log("GRPC-ud8w7").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(address.ChangeDate)
+	logging.Log("GRPC-si9ws").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.UserAddress{
+		Id:            address.AggregateID,
+		CreationDate:  creationDate,
+		ChangeDate:    changeDate,
+		Sequence:      address.Sequence,
+		Country:       address.Country,
+		StreetAddress: address.StreetAddress,
+		Region:        address.Region,
+		PostalCode:    address.PostalCode,
+		Locality:      address.Locality,
+	}
+}
+
+func addressViewFromModel(address *usr_model.Address) *management.UserAddressView {
+	creationDate, err := ptypes.TimestampProto(address.CreationDate)
+	logging.Log("GRPC-67stC").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(address.ChangeDate)
+	logging.Log("GRPC-0jSfs").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.UserAddressView{
+		Id:            address.AggregateID,
+		CreationDate:  creationDate,
+		ChangeDate:    changeDate,
+		Sequence:      address.Sequence,
+		Country:       address.Country,
+		StreetAddress: address.StreetAddress,
+		Region:        address.Region,
+		PostalCode:    address.PostalCode,
+		Locality:      address.Locality,
+	}
+}
+
+func updateAddressToModel(address *management.UpdateUserAddressRequest) *usr_model.Address {
+	return &usr_model.Address{
+		ObjectRoot:    models.ObjectRoot{AggregateID: address.Id},
+		Country:       address.Country,
+		StreetAddress: address.StreetAddress,
+		Region:        address.Region,
+		PostalCode:    address.PostalCode,
+		Locality:      address.Locality,
+	}
+}
+
+func userSearchResponseFromModel(response *usr_model.UserSearchResponse) *management.UserSearchResponse {
+	return &management.UserSearchResponse{
+		Offset:      response.Offset,
+		Limit:       response.Limit,
+		TotalResult: response.TotalResult,
+		Result:      userViewsFromModel(response.Result),
+	}
+}
+
+func userViewsFromModel(users []*usr_model.UserView) []*management.UserView {
+	converted := make([]*management.UserView, len(users))
+	for i, user := range users {
+		converted[i] = userViewFromModel(user)
+	}
+	return converted
+}
+
+func userViewFromModel(user *usr_model.UserView) *management.UserView {
+	creationDate, err := ptypes.TimestampProto(user.CreationDate)
+	logging.Log("GRPC-dl9we").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(user.ChangeDate)
+	logging.Log("GRPC-lpsg5").OnError(err).Debug("unable to parse timestamp")
+
+	lastLogin, err := ptypes.TimestampProto(user.LastLogin)
+	logging.Log("GRPC-dksi3").OnError(err).Debug("unable to parse timestamp")
+
+	passwordChanged, err := ptypes.TimestampProto(user.PasswordChanged)
+	logging.Log("GRPC-dl9ws").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.UserView{
+		Id:                 user.ID,
+		State:              userStateFromModel(user.State),
+		CreationDate:       creationDate,
+		ChangeDate:         changeDate,
+		LastLogin:          lastLogin,
+		PasswordChanged:    passwordChanged,
+		UserName:           user.UserName,
+		FirstName:          user.FirstName,
+		LastName:           user.LastName,
+		DisplayName:        user.DisplayName,
+		NickName:           user.NickName,
+		PreferredLanguage:  user.PreferredLanguage,
+		Gender:             genderFromModel(user.Gender),
+		Email:              user.Email,
+		IsEmailVerified:    user.IsEmailVerified,
+		Phone:              user.Phone,
+		IsPhoneVerified:    user.IsPhoneVerified,
+		Country:            user.Country,
+		Locality:           user.Locality,
+		PostalCode:         user.PostalCode,
+		Region:             user.Region,
+		StreetAddress:      user.StreetAddress,
+		Sequence:           user.Sequence,
+		ResourceOwner:      user.ResourceOwner,
+		LoginNames:         user.LoginNames,
+		PreferredLoginName: user.PreferredLoginName,
+	}
+}
+
+func mfasFromModel(mfas []*usr_model.MultiFactor) []*management.MultiFactor {
+	converted := make([]*management.MultiFactor, len(mfas))
+	for i, mfa := range mfas {
+		converted[i] = mfaFromModel(mfa)
+	}
+	return converted
+}
+
+func mfaFromModel(mfa *usr_model.MultiFactor) *management.MultiFactor {
+	return &management.MultiFactor{
+		State: mfaStateFromModel(mfa.State),
+		Type:  mfaTypeFromModel(mfa.Type),
+	}
+}
+
+func notifyTypeToModel(state management.NotificationType) usr_model.NotificationType {
+	switch state {
+	case management.NotificationType_NOTIFICATIONTYPE_EMAIL:
+		return usr_model.NotificationTypeEmail
+	case management.NotificationType_NOTIFICATIONTYPE_SMS:
+		return usr_model.NotificationTypeSms
+	default:
+		return usr_model.NotificationTypeEmail
+	}
+}
+
+func userStateFromModel(state usr_model.UserState) management.UserState {
+	switch state {
+	case usr_model.UserStateActive:
+		return management.UserState_USERSTATE_ACTIVE
+	case usr_model.UserStateInactive:
+		return management.UserState_USERSTATE_INACTIVE
+	case usr_model.UserStateLocked:
+		return management.UserState_USERSTATE_LOCKED
+	case usr_model.UserStateInitial:
+		return management.UserState_USERSTATE_INITIAL
+	case usr_model.UserStateSuspend:
+		return management.UserState_USERSTATE_SUSPEND
+	default:
+		return management.UserState_USERSTATE_UNSPECIFIED
+	}
+}
+
+func genderFromModel(gender usr_model.Gender) management.Gender {
+	switch gender {
+	case usr_model.GenderFemale:
+		return management.Gender_GENDER_FEMALE
+	case usr_model.GenderMale:
+		return management.Gender_GENDER_MALE
+	case usr_model.GenderDiverse:
+		return management.Gender_GENDER_DIVERSE
+	default:
+		return management.Gender_GENDER_UNSPECIFIED
+	}
+}
+
+func genderToModel(gender management.Gender) usr_model.Gender {
+	switch gender {
+	case management.Gender_GENDER_FEMALE:
+		return usr_model.GenderFemale
+	case management.Gender_GENDER_MALE:
+		return usr_model.GenderMale
+	case management.Gender_GENDER_DIVERSE:
+		return usr_model.GenderDiverse
+	default:
+		return usr_model.GenderUnspecified
+	}
+}
+
+func mfaTypeFromModel(mfatype usr_model.MfaType) management.MfaType {
+	switch mfatype {
+	case usr_model.MfaTypeOTP:
+		return management.MfaType_MFATYPE_OTP
+	case usr_model.MfaTypeSMS:
+		return management.MfaType_MFATYPE_SMS
+	default:
+		return management.MfaType_MFATYPE_UNSPECIFIED
+	}
+}
+
+func mfaStateFromModel(state usr_model.MfaState) management.MFAState {
+	switch state {
+	case usr_model.MfaStateReady:
+		return management.MFAState_MFASTATE_READY
+	case usr_model.MfaStateNotReady:
+		return management.MFAState_MFASTATE_NOT_READY
+	default:
+		return management.MFAState_MFASTATE_UNSPECIFIED
+	}
+}
+
+func userChangesToResponse(response *usr_model.UserChanges, offset uint64, limit uint64) (_ *management.Changes) {
+	return &management.Changes{
+		Limit:   limit,
+		Offset:  offset,
+		Changes: userChangesToMgtAPI(response),
+	}
+}
+
+func userChangesToMgtAPI(changes *usr_model.UserChanges) (_ []*management.Change) {
+	result := make([]*management.Change, len(changes.Changes))
+
+	for i, change := range changes.Changes {
+		var data *structpb.Struct
+		changedData, err := json.Marshal(change.Data)
+		if err == nil {
+			data = new(structpb.Struct)
+			err = protojson.Unmarshal(changedData, data)
+			logging.Log("GRPC-a7F54").OnError(err).Debug("unable to marshal changed data to struct")
+		}
+
+		result[i] = &management.Change{
+			ChangeDate: change.ChangeDate,
+			EventType:  message.NewLocalizedEventType(change.EventType),
+			Sequence:   change.Sequence,
+			Data:       data,
+			EditorId:   change.ModifierId,
+			Editor:     change.ModifierName,
+		}
+	}
+
+	return result
+}

internal/api/grpc/management/user_grant.go

@@ -0,0 +1,182 @@
+package management
+
+import (
+	"context"
+
+	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) SearchUserGrants(ctx context.Context, in *management.UserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
+	request := userGrantSearchRequestsToModel(in)
+	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
+	response, err := s.usergrant.SearchUserGrants(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+	return userGrantSearchResponseFromModel(response), nil
+}
+
+func (s *Server) UserGrantByID(ctx context.Context, request *management.UserGrantID) (*management.UserGrantView, error) {
+	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
+	if err != nil {
+		return nil, err
+	}
+	return userGrantViewFromModel(user), nil
+}
+
+func (s *Server) CreateUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
+	user, err := s.usergrant.AddUserGrant(ctx, userGrantCreateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+
+func (s *Server) UpdateUserGrant(ctx context.Context, in *management.UserGrantUpdate) (*management.UserGrant, error) {
+	user, err := s.usergrant.ChangeUserGrant(ctx, userGrantUpdateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+func (s *Server) DeactivateUserGrant(ctx context.Context, in *management.UserGrantID) (*management.UserGrant, error) {
+	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+func (s *Server) ReactivateUserGrant(ctx context.Context, in *management.UserGrantID) (*management.UserGrant, error) {
+	user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+
+func (s *Server) RemoveUserGrant(ctx context.Context, in *management.UserGrantID) (*empty.Empty, error) {
+	err := s.usergrant.RemoveUserGrant(ctx, in.Id)
+	return &empty.Empty{}, err
+}
+
+func (s *Server) BulkCreateUserGrant(ctx context.Context, in *management.UserGrantCreateBulk) (*empty.Empty, error) {
+	err := s.usergrant.BulkAddUserGrant(ctx, userGrantCreateBulkToModel(in)...)
+	return &empty.Empty{}, err
+}
+
+func (s *Server) BulkUpdateUserGrant(ctx context.Context, in *management.UserGrantUpdateBulk) (*empty.Empty, error) {
+	err := s.usergrant.BulkChangeUserGrant(ctx, userGrantUpdateBulkToModel(in)...)
+	return &empty.Empty{}, err
+}
+
+func (s *Server) BulkRemoveUserGrant(ctx context.Context, in *management.UserGrantRemoveBulk) (*empty.Empty, error) {
+	err := s.usergrant.BulkRemoveUserGrant(ctx, userGrantRemoveBulkToModel(in)...)
+	return &empty.Empty{}, err
+}
+
+func (s *Server) SearchProjectUserGrants(ctx context.Context, in *management.ProjectUserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
+	request := projectUserGrantSearchRequestsToModel(in)
+	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
+	request.AppendProjectIDQuery(in.ProjectId)
+	response, err := s.usergrant.SearchUserGrants(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+	return userGrantSearchResponseFromModel(response), nil
+}
+
+func (s *Server) ProjectUserGrantByID(ctx context.Context, request *management.ProjectUserGrantID) (*management.UserGrantView, error) {
+	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
+	if err != nil {
+		return nil, err
+	}
+	return userGrantViewFromModel(user), nil
+}
+
+func (s *Server) CreateProjectUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
+	user, err := s.usergrant.AddUserGrant(ctx, userGrantCreateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+func (s *Server) UpdateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantUpdate) (*management.UserGrant, error) {
+	user, err := s.usergrant.ChangeUserGrant(ctx, projectUserGrantUpdateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+
+func (s *Server) DeactivateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantID) (*management.UserGrant, error) {
+	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+
+func (s *Server) ReactivateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantID) (*management.UserGrant, error) {
+	user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+
+func (s *Server) SearchProjectGrantUserGrants(ctx context.Context, in *management.ProjectGrantUserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
+	grant, err := s.project.ProjectGrantByID(ctx, in.ProjectGrantId)
+	if err != nil {
+		return nil, err
+	}
+	request := projectGrantUserGrantSearchRequestsToModel(in)
+	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
+	request.AppendProjectIDQuery(grant.ProjectID)
+	response, err := s.usergrant.SearchUserGrants(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+	return userGrantSearchResponseFromModel(response), nil
+}
+
+func (s *Server) ProjectGrantUserGrantByID(ctx context.Context, request *management.ProjectGrantUserGrantID) (*management.UserGrantView, error) {
+	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
+	if err != nil {
+		return nil, err
+	}
+	return userGrantViewFromModel(user), nil
+}
+
+func (s *Server) CreateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantCreate) (*management.UserGrant, error) {
+	user, err := s.usergrant.AddUserGrant(ctx, projectGrantUserGrantCreateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+func (s *Server) UpdateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantUpdate) (*management.UserGrant, error) {
+	user, err := s.usergrant.ChangeUserGrant(ctx, projectGrantUserGrantUpdateToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+
+func (s *Server) DeactivateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantID) (*management.UserGrant, error) {
+	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}
+
+func (s *Server) ReactivateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantID) (*management.UserGrant, error) {
+	user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
+	if err != nil {
+		return nil, err
+	}
+	return usergrantFromModel(user), nil
+}

internal/api/grpc/management/user_grant_converter.go

@@ -0,0 +1,203 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	grant_model "github.com/caos/zitadel/internal/usergrant/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func usergrantFromModel(grant *grant_model.UserGrant) *management.UserGrant {
+	creationDate, err := ptypes.TimestampProto(grant.CreationDate)
+	logging.Log("GRPC-ki9ds").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(grant.ChangeDate)
+	logging.Log("GRPC-sl9ew").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.UserGrant{
+		Id:           grant.AggregateID,
+		UserId:       grant.UserID,
+		State:        usergrantStateFromModel(grant.State),
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+		Sequence:     grant.Sequence,
+		ProjectId:    grant.ProjectID,
+		RoleKeys:     grant.RoleKeys,
+	}
+}
+
+func userGrantCreateBulkToModel(u *management.UserGrantCreateBulk) []*grant_model.UserGrant {
+	grants := make([]*grant_model.UserGrant, len(u.UserGrants))
+	for i, grant := range u.UserGrants {
+		grants[i] = userGrantCreateToModel(grant)
+	}
+	return grants
+}
+
+func userGrantCreateToModel(u *management.UserGrantCreate) *grant_model.UserGrant {
+	return &grant_model.UserGrant{
+		ObjectRoot: models.ObjectRoot{AggregateID: u.UserId},
+		UserID:     u.UserId,
+		ProjectID:  u.ProjectId,
+		RoleKeys:   u.RoleKeys,
+	}
+}
+
+func userGrantUpdateBulkToModel(u *management.UserGrantUpdateBulk) []*grant_model.UserGrant {
+	grants := make([]*grant_model.UserGrant, len(u.UserGrants))
+	for i, grant := range u.UserGrants {
+		grants[i] = userGrantUpdateToModel(grant)
+	}
+	return grants
+}
+
+func userGrantUpdateToModel(u *management.UserGrantUpdate) *grant_model.UserGrant {
+	return &grant_model.UserGrant{
+		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
+		RoleKeys:   u.RoleKeys,
+	}
+}
+
+func userGrantRemoveBulkToModel(u *management.UserGrantRemoveBulk) []string {
+	ids := make([]string, len(u.Ids))
+	for i, id := range u.Ids {
+		ids[i] = id
+	}
+	return ids
+}
+
+func projectUserGrantUpdateToModel(u *management.ProjectUserGrantUpdate) *grant_model.UserGrant {
+	return &grant_model.UserGrant{
+		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
+		RoleKeys:   u.RoleKeys,
+	}
+}
+
+func projectGrantUserGrantCreateToModel(u *management.ProjectGrantUserGrantCreate) *grant_model.UserGrant {
+	return &grant_model.UserGrant{
+		UserID:    u.UserId,
+		ProjectID: u.ProjectId,
+		RoleKeys:  u.RoleKeys,
+	}
+}
+
+func projectGrantUserGrantUpdateToModel(u *management.ProjectGrantUserGrantUpdate) *grant_model.UserGrant {
+	return &grant_model.UserGrant{
+		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
+		RoleKeys:   u.RoleKeys,
+	}
+}
+
+func userGrantSearchRequestsToModel(project *management.UserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
+	return &grant_model.UserGrantSearchRequest{
+		Offset:  project.Offset,
+		Limit:   project.Limit,
+		Queries: userGrantSearchQueriesToModel(project.Queries),
+	}
+}
+
+func userGrantSearchQueriesToModel(queries []*management.UserGrantSearchQuery) []*grant_model.UserGrantSearchQuery {
+	converted := make([]*grant_model.UserGrantSearchQuery, len(queries))
+	for i, q := range queries {
+		converted[i] = userGrantSearchQueryToModel(q)
+	}
+	return converted
+}
+
+func userGrantSearchQueryToModel(query *management.UserGrantSearchQuery) *grant_model.UserGrantSearchQuery {
+	return &grant_model.UserGrantSearchQuery{
+		Key:    userGrantSearchKeyToModel(query.Key),
+		Method: searchMethodToModel(query.Method),
+		Value:  query.Value,
+	}
+}
+
+func userGrantSearchKeyToModel(key management.UserGrantSearchKey) grant_model.UserGrantSearchKey {
+	switch key {
+	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_ORG_ID:
+		return grant_model.UserGrantSearchKeyResourceOwner
+	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_PROJECT_ID:
+		return grant_model.UserGrantSearchKeyProjectID
+	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_USER_ID:
+		return grant_model.UserGrantSearchKeyUserID
+	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_ROLE_KEY:
+		return grant_model.UserGrantSearchKeyRoleKey
+	default:
+		return grant_model.UserGrantSearchKeyUnspecified
+	}
+}
+
+func userGrantSearchResponseFromModel(response *grant_model.UserGrantSearchResponse) *management.UserGrantSearchResponse {
+	return &management.UserGrantSearchResponse{
+		Offset:      response.Offset,
+		Limit:       response.Limit,
+		TotalResult: response.TotalResult,
+		Result:      userGrantViewsFromModel(response.Result),
+	}
+}
+
+func userGrantViewsFromModel(users []*grant_model.UserGrantView) []*management.UserGrantView {
+	converted := make([]*management.UserGrantView, len(users))
+	for i, user := range users {
+		converted[i] = userGrantViewFromModel(user)
+	}
+	return converted
+}
+
+func userGrantViewFromModel(grant *grant_model.UserGrantView) *management.UserGrantView {
+	creationDate, err := ptypes.TimestampProto(grant.CreationDate)
+	logging.Log("GRPC-dl9we").OnError(err).Debug("unable to parse timestamp")
+
+	changeDate, err := ptypes.TimestampProto(grant.ChangeDate)
+	logging.Log("GRPC-lpsg5").OnError(err).Debug("unable to parse timestamp")
+
+	return &management.UserGrantView{
+		Id:            grant.ID,
+		State:         usergrantStateFromModel(grant.State),
+		CreationDate:  creationDate,
+		ChangeDate:    changeDate,
+		Sequence:      grant.Sequence,
+		ResourceOwner: grant.ResourceOwner,
+		UserName:      grant.UserName,
+		FirstName:     grant.FirstName,
+		LastName:      grant.LastName,
+		Email:         grant.Email,
+		ProjectName:   grant.ProjectName,
+		OrgName:       grant.OrgName,
+		OrgDomain:     grant.OrgDomain,
+		RoleKeys:      grant.RoleKeys,
+		UserId:        grant.UserID,
+		ProjectId:     grant.ProjectID,
+		OrgId:         grant.ResourceOwner,
+		DisplayName:   grant.DisplayName,
+	}
+}
+
+func usergrantStateFromModel(state grant_model.UserGrantState) management.UserGrantState {
+	switch state {
+	case grant_model.UserGrantStateActive:
+		return management.UserGrantState_USERGRANTSTATE_ACTIVE
+	case grant_model.UserGrantStateInactive:
+		return management.UserGrantState_USERGRANTSTATE_INACTIVE
+	default:
+		return management.UserGrantState_USERGRANTSTATE_UNSPECIFIED
+	}
+}
+
+func projectUserGrantSearchRequestsToModel(project *management.ProjectUserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
+	return &grant_model.UserGrantSearchRequest{
+		Offset:  project.Offset,
+		Limit:   project.Limit,
+		Queries: userGrantSearchQueriesToModel(project.Queries),
+	}
+}
+
+func projectGrantUserGrantSearchRequestsToModel(project *management.ProjectGrantUserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
+	return &grant_model.UserGrantSearchRequest{
+		Offset:  project.Offset,
+		Limit:   project.Limit,
+		Queries: userGrantSearchQueriesToModel(project.Queries),
+	}
+}